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Logical frameworks based on intuitionistic or linear logics with higher-type quantification have 
been successfully used to give high-level, modular, and formal specifications of many important 
judgments in the area of programming languages and inference systems. Given such specifications, 
it is natural to consider proving properties about the specified systems in the framework: for 
example, given the specification of evaluation for a functional programming language, prove that 
the language is deterministic or that evaluation preserves types. One challenge in developing 
a framework for such reasoning is that higher-order abstract syntax (HOAS), an elegant and 
declarative treatment of object-level abstraction and substitution, is difficult to treat in proofs 
involving induction. In this paper, we present a meta-logic that can be used to reason about 
judgments coded using HOAS; this meta-logic is an extension of a simple intuitionistic logic that 
admits higher-order quantification over simply typed A-terms (key ingredients for HOAS) as well 
as induction and a notion of definition. The latter concept of definition is a proof-theoretic device 
that allows certain theories to be treated as "closed" or as defining fixed points. We explore 
the difficulties of formal meta-theoretic analysis of HOAS encodings by considering encodings of 
intuitionistic and linear logics, and formally derive the admissibility of cut for important subsets 
of these logics. We then propose an approach to avoid the apparent tradeoff between the benefits 
of higher-order abstract syntax and the ability to analyze the resulting encodings. We illustrate 
this approach through examples involving the simple functional and imperative programming 
languages PCF and PCF—. We formally derive such properties as unicity of typing, subject 
reduction, determinacy of evaluation, and the equivalence of transition semantics and natural 
semantics presentations of evaluation. 
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INTRODUCTION 



Meta-logics and type systems have been used to specify the semantics of a wide 
range of logics and computation systems Avron et al. 199^ ; Chirimar 1995; Felty 



1993; Pfenning and Rohwedder 1992|. This is done by making judgments, such 



as "the term M denotes a program," "the program M evaluates to the value y , 
and "the program M has type T" , into predicates that can be proved or types for 
which inhabitants (proofs) are needed. Since these specification languages often 
contain quantification at higher-order types and term structures involving A-terms, 
succinct and elegant specifications can be written using higher-order abstract syntax, 
a high-level and declarative treatment of object-level bound variables and object- 
level substitution [Miller and Nadathur 1987; Pfenning and Elliot 198S]. In other 



approaches to syntactic representation where bound variables are managed directly 
using either names or deBruijn-style numbering, these details must be carefully 
addressed and dealt with at most levels of a specification. 

Recently, logical specification languages have been used to not only describe how 
to perform computations but also describe properties about the encoded computa- 



tions I Basin and Constable 1993; Magnusson and Nordstrom 1994; Matthews et al 



1993; Vanlnwegen 1996]. By proving these properties in a formal framework, we can 



benefit from automated proof assistance and gain greater confidence in our results. 
However, this work has been done in languages that do not support higher-order 
abstract syntax and so has not been able to benefit from this representation tech- 
nique. As a result, theorems about substitution and bound variables can dominate 
the task [ Vanlnwegen 1996 1. But meta-theoretic reasoning about systems repre- 
sented in higher-order abstract syntax has been difficult since the languages and 
logics that support this notion of syntax do not provide facilities for the funda- 
mental operations of case analysis and induction. Moreover, higher-order abstract 
syntax leads to types and recursive definitions that do not give rise to monotone 
inductive operators, making inductive principles difficult to find. 

These apparent difficulties can be overcome, and in this paper we present a meta- 
logic in which we can naturally reason about specifications in higher-order abstract 
syntax. This meta-logic is a higher-order intuitionistic logic with partial inductive 
definitions and natural number induction. Induction on natural numbers allows us 
to derive other induction principles via the construction of an appropriate measure. 
A partial inductive definition [ Hallnas 199l| is a proof-theoretic formalization that 
allows certain theories to be treated as "closed" or as defining fixed points. This 
allows us to perform case analyses on the defined judgments. We use this definition 
mechanism to specify a small, object-level logic which in turn is used to specify 
the computation systems under consideration. In this way, we can talk directly 
about the structure of object-logic sequents and their provability. This technique 



of representing a logic within a logic is not new (see, for example, Felty and Miller 
1988 [ and Paulson 198(| for some early references) and corresponds to the structure 



of common informal reasoning. 

The first part of this paper (Sections ^ and |^) presents the meta-logic FOX 
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(pronounced "fold-n"). To illustrate the use of FOX^^, we derive several theo- 
rems expressing properties of natural numbers and lists. In Part II (Sections ^ ^, 
and we consider encodings of intuitionistic and linear logics in FOX^^ to illus- 
trate some difficulties with reasoning in the specification logic about higher-order 
abstract syntax and to also demonstrate some strategies to deal with these difficul- 
ties. Unfortunately these strategies involve sacrificing some benefits of higher-order 
abstract syntax in order to gain the ability to perform some meta-theoretic analy- 
ses. We avoid this tradeoff in Part III (Sections ||, ^, and|l^) by taking a different 
approach to formal reasoning. The key to this approach is to encode the object 
system in a specification logic that is separate from the logic FOX^^ in which we 
perform the reasoning; this specification logic is itself specified in FOX^^ . This 
separation of the specification logic and the meta-logic allows us to reason for- 
mally about specification logic sequents and their derivability, and also reflects the 
structure of informal reasoning about higher-order abstract syntax encodings. We 
illustrate this approach by considering the static and dynamic semantics of small 
functional and imperative programming languages; we are able to derive in FOX^^ 
such properties as the unicity of typing, determinacy of semantics, and type preser- 
vation (subject reduction). We conclude in Section |ll| with a brief discussion of our 
accomplishments and possible extensions of this work. 

Part I: THE META-LOGIC FOX^^ 

In this part wc introduce the logic which we call FOX^^ , an acronym for "first- 
order logic for A with definitions and natural numbers." We present the logic in 
the first section, and then proceed in the next with some sample definitions and 
propositions. We conclude the part by briefly comparing the strength of FOX^^ 
with that of other logical systems. 

1. A DESCRIPTION OF THE LOGIC 

The basic logic is an intuitionistic version of a subset of Church's Simple Theory 



of Types | Church 194C ] in which formulas have the type o. The logical connectives 
are ±, T, A, V, D, V^, and 3,-. The quantification types t (and thus the types of 
variables) are restricted to not contain o. Thus FOX^^ supports quantification 
over higher-order (non-predicate) types, a crucial feature for higher-order abstract 
syntax, but has a first-order proof theory, since there is no quantification over 
predicate types. We will use sequents of the form F — > B, where F is a finite 
multiset of formulas and B is a single formula. The basic inference rules for the 
logic are shown in Table |. In the V7?, and 3C rules, y is an eigenvariable that is 
not free in the lower sequent of the rule. 

We introduce the natural numbers via the constants z : nt for zero and s : nt ^ nt 
for successor and the predicate nat : nt — > o. The right and left rules for this new 
predicate are 

^ F — > nat I ,„ 
natTZ 77 — 77 natJi 



F — > nat z F — > nat (s /) 

— >Bz Bj — >B{sj) BI,T — >C 

nat /, F — > C ""^^^ ■ 
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Table I. Inference rules for the core of FOX^^ 

-LC =F Til 



±,r — * B r 

B,r — C,T — >D B[t/x\,T — >C 



BAC,r — ►D BAC,r — -D Vx.B,r — ►c 

B,r — >D C,r — »D B[y/x],T — ,C 

VC 3£ 

BVC,r — >D 3x.B,r — »c 

r^B ^ r-~*c ^ r^i?[t/x] 

v7e 7; TT—: viz 37e 



Bvc r — >Bvc r — > Bi.b 

r — > B c,r — ^ D B,r — >c 

■ ~)£ ■ ~)TZ 

BDC,r — ►D r — >bdc 

B,B,r — >c 

init, where A is atomic — — — — — cC 



A,r — >A ' B,T — >C 

A — > B B,T — , C 

cut 



A,r — >c 



In the left rule, the predicate B : nt ^ o represents the property that is proved 
by induction, and j is an eigenvariable that is not free in B. The third premise 
of that inference rule witnesses the fact that, in general, B will express a property 
stronger than (/\ F) D C. Notice that the first two premises of the natC rule involve 
no assumptions other than the induction hypothesis (in the second premise). This 
is not a restriction on induction since one can choose to do induction on, say, 
Xw.{/\T) D Bw, which would effectively provide the first two premises with the 
assumptions from the multiset T. 

A definitional clause is written \fx[pi = B], where p is a predicate constant, every 
free variable of the formula B is also free in at least one term in the list t of terms, 
and all variables free in t are contained in the list x of variables. Since all free 
variables in pt and B are universally quantified, we often leave these quantifiers 
implicit when displaying definitional clauses. The atomic formula pt is called the 
head of the clause, and the formula B is called the body. The symbol = is used 
simply to indicate a definitional clause: it is not a logical connective. A definition 
is a (perhaps infinite) set of definitional clauses. The same predicate may occur in 
the head of multiple clauses of a definition: it is best to think of a definition as a 
mutually recursive definition of the predicates in the heads of the clauses. 

We must also restrict the use of implication in the bodies of definitional clauses; 
otherwise cut-elimination does not hold [ ^chrocder-Heistcr 1992 1. Toward that end 



we assume that each predicate symbol p in the language has associated with it a 
natural number Ivl(p), the level of the predicate. We then extend the notion of 
level to formulas and derivations. Given a formula B, its level lvl(_B) is defined as 
follows: 
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(1) lvl(p<) =lvl(p) 

(2) lvl(_L) ^ Ivl(T) = 

(3) lvl(S A C) = lvl(B V C) = max(lvl(B), Ivl(C)) 

(4) lvl(S D C) = max(lvl(B) + 1, Ivl(C)) 

(5) Ivl(Vx.S) = lvl(3a;.B) = Ivl(B). 

Given a derivation 11 of F — > B, Ivl(n) ~ lvl(i?). We now require that for every 
definitional clause yx[pt = B], lvl(i3) < Ivl(pf). 

The inference rules for defined atoms are given relative to some fixed definition. 
The right-introduction rule for defined atoms is 
p ^ 

p ^ ^ ^ defJZ, where pu — {pt)0 for some clause yx.[pt = B] , 

where is a substitution of terms for variables. The left rule for defined concepts 
uses complete sets of unifiers (CSU): 

^^Be,Te — >Ce \ e e CSU{pu,pt} for some clause Wx.[pt = B]| 

7^ '^'^^^ ' 

pu,i — > G 

where is a substitution of terms for variables, and the variables x are chosen to 
be distinct from the variables free in the lower sequent of the rule. (A set S of 
unifiers of t and u is complete if for every unifier p of t and u there is a unifier 



6 ^ S such that p is 9 o a for some substitution a [Huet f975|.) Specifying a set 
of sequents as the premise should be understood to mean that each sequent in the 
set is a premise of the rule. The right rule corresponds to the logic programming 
notion of backchaining if we think of = in definitional clauses as reverse implication. 
The left rule is similar to definitional reflection [ Schroeder-Heister 1995( | (not to be 



confused with another notion of reflection often considered between a meta-logic 
and object-logic) and to an inference rule used by Girard in his note on fixed points 
pirard 1992{ . This particular presentation of the rule is due to Eriksson [|Eriksson| 



f99f|. Notice that in the defC rule, the free variables of the conclusion can be 
instantiated in the premises. 

The number of premises of the defC rule may be either infinite or finite (including 
zero). If the formula pu does not unify with the head of any definitional clause, 
then the number of premises will be zero. In this case p ?2 is an unprovable formula 
logically equivalent to _L, and defC corresponds to the J-C rule. If the formula pu 
does unify with the head of a definitional clause, GSUs may be infinite, as is the case 
with unifications involving simply typed A-terms and variables of functional type 
(a.k.a. higher-order unification). Clearly an inference rule with an infinite number 
of premises is impossible to automate directly. There are many important situations 
where CSUs are not only finite but are also singleton (containing a most general 
unifier) whenever terms are unifiable. One such case is, of course, the first-order 
case. Another case is when the application of functional variables are restricted 



to distinct bound variables in the sense of higher-order pattern unification | |\4illcr 



1991]. In this paper, all unification problems will fall into this latter case and, 
hence, we can count on the definition left-introduction rule to have a finite (and 
small) number of premises. 
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Assuming that a definition is given and fixed, we have the foUowing resuhs. 

Proposition 1.1 Cut-Elimination for FOX^^. If a sequent is derivable in 
FOX^^ , then it is derivable without using the cut rule. 



Proof. Tlie proofs of Schroeder-Heister [1993| regarding cut-elimination for def 



initions do not appear to extend to our setting where induction is included. A com- 



plete proof of this theorem appears in McDowell [1997 1 and McDowell and Miller 



2000 1 and is modeled on proofs by Tait and Martin-Lof that use the technical 



notions of normalizability and reducibility. □ 

The following corollary is an immediate consequence of this cut-elimination the- 
orem. 

Corollary 1.2 Consistency of FOX^^. There is no derivation inFOX^^ 
of the sequent > ±. 

Although cut-elimination holds for this logic, we do not have the subformula 
property since the induction predicate B used in the natC rule is not necessarily a 
subformula of the conclusion of that inference rule. In fact, the following inference 
rule is derivable from the induction rule: 

— >B B,r — >C 
nat /, r — >C 

This inference rule resembles the cut rule except that it requires a nat assumption. 
Although we fail to have the subformula property, the cut-elimination theorem still 
provides a strong basis for reasoning about proofs in FOX'^^ . Also this formulation 
of the induction principle is natural and close to the one used in actual mathemat- 
ical practice: that is, invariants must be, at times, clever inventions that are not 
simply rearrangements of subformulas. Any automation of FOX^^ will almost cer- 
tainly need to be interactive, at least for retrieving instantiations for the induction 
predicate B. 

2. SOME SIMPLE DEFINITIONS AND PROPOSITIONS 

In this section we illustrate the use of the logic FOX^^ with some examples. We 
first define some predicates over the natural numbers and reason about them. Then 
we introduce a list type and consider predicates for it. As we prove properties 
about these types and predicates, we will interleave informal descriptions of the 
proofs with their realization as derivations in FOX^^ . The formal derivations are 
by nature detailed and low-level, breaking down proof principles into small pieces. 
As a result, what can seem obvious or be described informally in a small number 
of words may take a number of steps to accomplish in the formal derivation. But it 
is exactly this nature that makes formal derivations amenable to automation; tools 
such as proof editors and theorem provers can make the construction of formal 
derivations more natural as well as more robust. 

We will describe derivations in a "bottom-up" manner - that is, we will start with 
the sequent we wish to derive, apply a rule with that sequent as the conclusion, and 
continue in this manner with the rule premises. Thus unproved premises represent 
statements of what remains to be proved to establish the original sequent. Since 
the formal {FOX^^) derivation is presented in pieces, intermixed with descriptive 
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Table II. Definitional clauses for predicates over natural numbers 

A A 

1=1= I sum z J J = nat J 

sum (s I) J (s K) = sum I J K 

z < (s J) = nat J I < I = T 

(s I) < (s J) = I < J I <J = I < J 



text, pieces that occur later in the text will generally be (partial) derivations of 
unproved premises from earlier pieces. 

2.1 Natural Numbers 

As described in Section |l], FOX^^ includes a type nt encoding natural numbers and 
a membership predicate nat. We now introduce predicates representing equality, 
the less-than relation, the less-than-or-equal-to relation, and the addition function. 
The types for these predicates are as follows: 

= : nt ^ nt ^ o sum : nt —^ nt ^ nt ^ o 

< : nt ^ nt ^ o < : nt —^ nt ^ o . 

The definitional clauses for these predicates are shown in Tabic ||; we shall refer 
to this set of clauses as 'D{nat). We define two numbers to be equal if they are 
unifiable. The clauses for sum indicate that the sum of zero and any other number 
J is J, and the sum of (s /) and J is the successor of the sum of / and J. Zero is 
less than the successor of any number, and (s /) is less than (s J) whenever / is 
less than J. Finally, / < J if / is equal to J or if J is less than J. 

We now proceed to reason in the logic FOX"^^ about natural numbers and these 
predicates over them. As our first example, we derive a case analysis rule for 
natural numbers. In general the defC rule is used to formalize case analysis, but 
the predicate nat is not a defined predicate, and so the defC rule does not apply 
in the case of natural numbers. However, a case analysis may be viewed as an 
induction in which we do not use the induction hypothesis in the induction step. 
Thus we can derive a case analysis rule for natural numbers from the induction 
(natC) rule. 

Proposition 2.1. For any formula C : o, predicate B : nt ^ o, term I : nt, 
multiset T of formulas, and eigenvariable i : nt such that i is not free in B, the 
following rule is derivable in FOX'^^ : 

— >Bz nati — > B {s i) BI,T — > C 

nat I,T — >C 

Proof. This rule expresses the following idea: we want to show that C follows 
from r and the fact that / is a natural number. Since / is a natural number, it 
must be either zero or the successor of another natural number. Thus if we can 
show that B holds for zero and for the successor of any natural number (the first 
two premises), then we know that B holds for /. It then remains to show that C 
follows from B I and T (the third premise) . 
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To derive this rule, we assume that we have derivations of the premises and pro- 
ceed to prove the conclusion. That is, we construct in FOX^^ a partial derivation 
of the sequent nat I, T — > C, leaving unproved premises of the form — > B z, 
nat i — > B {s i), and BI,r — > C. This corresponds to working under the as- 
sumption that B holds both for zero and for the successor of any number and that 
B I and F imply C. We proceed by induction on J, using {Xi.nat i A Bi) as our 
induction predicate. As a result, we must establish three things: 

(1) the base case: zero is a natural number and B holds for it; 

(2) the induction step: if z is a natural number and B holds for it, then the same 
is true for (s i); 

(3) the relevance of the induction predicate: if / is a natural number and B holds 
for it, then F implies C. 

This staging of the problem is represented in FOX'^^ by applying the natC rule: 
— »■ nat z AB z nat i ABi — > nat {s i) A B (s i) nat I AB I,T — * C 



nat LT — > C 



natC 



The three premises to the natC rule correspond to the three proof obligations 
enumerated above. 

Let us first consider the relevance of the induction predicate. This is clear, since 
we are working under the assumption that C follows from BI and F. This is 
formally represented by the partial derivation 

BLT — >C 



nat I ABI, r — >C 



AC 



The base case is also simple: zero is obviously a natural number, and we are 
working under the assumption that B holds for zero. This is expressed in FOX^^ 
by the partial derivation 

natTZ 



— » nat z — > B z 

— > nat z A B z 

It remains to prove the induction step. Since i is a natural number, (s i) is 
as well. In addition, B holds for (s i) by our working assumption. The formal 
representation of this reasoning is 

init 



nat i — > nat i ^^^^-^ 
nat i — > nat (s i) nat i — > B (s i) 

^ — — - All 

nat i — > nat (s i) A B (s i) 

AC . 



nat i ABi — > nat (si) A B (si) ' □ 

We now use this derived case analysis rule to prove that zero is the smallest 
natural number. 

Proposition 2.2. The formula \li{nat i D z <i) is derivable in FOX^^ using 
the definition 'D{nat). 
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Proof. The proof is a simple case analysis on i. To represent this in F0\^^ , 
we apply the V7^ and D TZ rules to get 

nat i — > z < i , 



and then use the derived rule of Proposition 2.1, which yields the three sequents 
— > z < z nat I — > z < (s i') z <i — > z <i . 
In this case, the third premise is immediate: 

imt . 



z < i — > z < i 



If i is zero, then it is immediate that zero is equal to itself and thus less than or 
equal to itself: 

Y TTZ 

' defJZ . 



— > z < z 

If i is the successor of some number i', then z < (s i') by definition, and so 
z < (s i') also by definition. This is represented formally by the derivation 

7, 7 init 

nat I — > nat i , ^ 
deiK. 



nat i' — > z < (s z') 

dem. . 



nat i' — > z < (s i') ' □ 

It is also possible to derive in FOX"^^ a rule for complete induction over the 



natural numbers [McDowell 1997 1 



Proposition 2.3 Complete Induction. For any formula C : o, predicate B : 
nt — > o, term I : nt, multiset T of formulas, and eigenvariable j : nt such that j is 
not free in B, the following rule is derivable in FOX^^ using the definition 'D{nat): 

natjyk{nat k D k < j D B k) — > Bj BI,T — >C 
nat I,T — >C 

The following proposition presents additional properties of natural numbers that 
we have derived in FOX^^ , although we do not show the derivations here. 

Proposition 2.4. The following formulas are derivable in FOX'^^ using the 
definition ^{nat): 

\/i{nat (s i) D nat i) 
\fi{nat i D \/j{i < j D nat j)) 
\fi{nat i D i < (s i)) 
Wi{nat i D Wj{i < (s j) D i < j)) 
Vi(nat i D 'ij^k{i <jDj<kDi<k)) 
\fi{nat i D Vj(nat j D 3k{nat k M < k A j < k))) 
\/i{nat i D VjVfc(sum i (s j) k D sum (s i) j k)) 
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yi{nat i D Vj(i!at j D 3k(nat k A sum i j k))) 
\fi{nat i D yj\/k{nat j D sum i j k Z) i < k)) 
\fi(nat i D \fj\fk{nat j D sum (s i) j k D j < k)) 



2.2 Lists 



In this section we introduce a type 1st for lists over an arbitrary but fixed type 
T. The type has two constructors, nil : 1st representing the empty hst and the 
infix operator :: of type t ^ 1st ^ 1st that adds an element to the front of a list. 
Consider the list predicates 



length 
list 
element 



1st nt ^ o split : 1st 1st 1st 

1st o permute : 1st 1st o 

T ^ 1st ^ o , 



whose definitional clauses are shown in Table III ; we shall refer to this set of clauses 
as 'D{list{T)). The predicate length represents the function that returns the length 
of its list argument. The length of the empty list is zero, and the length of {X -.-.L) 
is one more than the length of L. The predicate list indicates that its argument 
has a finite (natural number) length. We shall find this predicate useful for con- 
structing induction principles over lists. The predicate element indicates that its 
first argument is a member of its second argument. X is an element of (Y :: L) if 
X and Y are the same or if X is an element of L. The predicate split holds if its 
first argument represents a merging of the second and third in which the order of 
elements in second and third lists is preserved in the first. The empty list can only 
be split into two empty lists. To split {X::L), we split L and add X to the front 
of either of the resulting lists. The predicate permute holds if its two arguments 
contain the same elements (including repetitions), though not necessarily in the 
same order. The empty list only permutes to itself. A list {X::Li) permutes to L2 
if removing X from L2 yields a permutation of Li. 

We now derive an induction rule for lists from the induction rule for natural 
numbers {natC) using the length of a list as our measure. 

Proposition 2.5. For any formula C : o, predicate B : 1st o, term L : 1st, 
multiset T of formulas, and eigenvariables x : r and I : 1st such that x and I are not 
free in B, the following rule is derivable in F0\^^ using the definition 'D{list{T)): 

— >Bnil Bl — >B{x::l) BL,T — >C 
listL.T — >'C 

Proof. To derive this rule, we construct a partial derivation of the sequent 
list L, F — > C , leaving unproved premises of the form — > B nil, B I — > B (x::l), 
and B L,r — > C. This corresponds to proving that C follows from T and the fact 
that i is a list under the assumptions 

— B holds for nil; 

— for any x' and if B holds for I', then it also holds for {x' ::l'); 
— B L and T imply C . 
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Table III. Definitional clauses for predicates over lists 



length nil z 


A 


T 


length {X::L) {si) 


A 


length L I 


list L 


A 


3i(nat i A length L i) 


element X {X::L) 


A 


T 


element X (Y::L) 


A 


eJement X L 


split nil nil nil 


A 


T 


split (Xy.Li) iX::L2) L3 


A 


split Li L2 L3 


split {X::Li) L2 (XiiLs) 


A 


split L\ L2 L3 


permute nil nil 


A 


T 


permute {X -.-.Li) L2 


A 


3l22{split L2 {X::nii) I22 A permute Li I22 ) 



The proof is by induction on the length of the hst L. Since list L holds, by 
definition L has a length which is a natural number: 

nat i, length L i.T — > C 

■ '■ f\C 

nat i, nat i A length L i,T — > C 

■ ■ ^C 

nat i A length L i, nat i A length L i,T — > C 

cHi 

nat i A length L i,T — > C 



3i{nat i A length L i), T — > C 

— defC 



list L,r — >c 

We now claim that B holds for lists of any length, and wish to prove this claim 
by induction on the length of the list. Thus we must prove 

(1) the base case: B holds for hsts of length zero; 

(2) the induction step: if B holds for lists of length i', it holds for lists of length 

ist'); 

(3) the relevance of the claim: C follows from F, the fact that L has length i, and 
the fact that B holds for lists of length i. 

This is represented in FOX^^ by applying the natC rule with the induction pred- 
icate \iMl{length I i D B I), which yields the three sequents 

— > yi{length I z D B I) 
Vl{length li' DBl) — > ^{length I (s i') D B I) 

\/l(length liD Bl), length L i,T — >C . 

Once wc have proved that B holds for lists of length i, then we know it holds 
for L. Thus we know that C follows from T, since our third working assumption 
says that C follows from BL and F. This is represented formally by the partial 
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derivation of the third premise of the natC rule: 

init 



length L i,T — > length Li B L, length L i,r — > C 

length LiD BL, length L i,T — ^ 



yi{length liD B I), length L i,T — >C 

The unproved premise of this partial derivation is actually a weakening of the third 

premise of the induction rule wc arc deriving. We do not have an explicit weakening 
rule in FOX'^^ , but it sufhccs here to use the cut rule: 

B L, length Li — > BL B L,T — >C 

BL, length Li,T — >C " 

The first premise of the cut rule is derivable for any B and L, since the consequent 
B L also occurs as an antecedent. The second premise is the desired premise of the 
rule we are deriving. 

In the base case of the induction, we must show that B holds for lists of length 
zero. Since the only list of length zero is nil, this follows from the first working 
assumption, which says that B nil holds. This case is formalized in the following 
partial derivation of the first premise of the natjC rule: 

T — » B nil ^^^^ 
length I z — > B I 



length I ZD Bl 



yiQcngth I z D B I) 



The induction step requires us to prove that B holds for all lists of length (s i'), 
given that it holds for all lists of length ?''. Since a list of length (s i') is constructed 
by adding an clement to the front of a list of length i' , this step follows from the 
second working assumption, which says that if B holds for a list I, then for any 
X : T, B holds for x::l. This reasoning is represented in the partial derivation of 
the second premise of the nat£ rule: 

init 



length I' i' — > length /' i' B V , length V i' — >B [x' -.-.l') 

length I' i' D B I', length V i' — >B {x'~) 



\Jl{length li' D B I), length V i' — >B {x' 
\/l(lcngth W D B 0, length I (s i') — > B I ^^^^ 

\/l{lcnglh I i' Zj BJ) . ]('ii-(Ji / [s i') Z) Bl 

yi{length li' dBI) — > yi{length I (s i') dBI) ^'^ ' 

In this use of the defC rule, the complete set of unifiers for the atomic formula 
length I (s i') and the head of the clause \/x' , l',j[lcngth (x' {s j) = length I' j] 
is the singleton set {[x' ::/'//, i'/j]}- The unproved premise of the partial derivation 
above is a weakening of the second premise of the induction rule we are deriving. 
We can achieve this weakening using the cut rule in the same manner as we did for 
the third premise: 

B I', length I'i' — >Bl' Bl' — >B {x' yJ') 

B I', length I' i' ^B{x'::l') ' □ 

ACM Transactions on Computational Logic, Vol. TBD, No. TBD, TBD TED. 



Reasoning with Higher-Order Abstract Syntax 



13 



We will now use this derived induction rule for lists to prove a very simple prop- 
erty, namely that we can split any list L into nil and L. 

Proposition 2.6. The formula Vl{list I D split I nil I) is derivable in FOX'^^ 
using the definition 'D{list{T)). 

Proof. We prove this by induction on Z; using the right rules for V and D and 
the derived rule of Proposition 2.5 with the induction predicate {XI. split I nil I), we 
get the three sequents 

— > split nil nil nil 
split I' nil I' — > split {x'-.-.l') nil {x' -.d') 

split I nil I — > split I nil I . 

Since the induction predicate applied to I is the same as the consequent, the rele- 
vance of the induction predicate is immediate. Thus the third sequent follows from 
the init rule. 

The base case follows immediately from the definition of split, and so the first 
sequent is derivable using the defJZ and TTZ rules. 

The induction step also follows easily from the definition of split: 

split I' nil I' — > split I' nil I' 
sp7it I' nil I' — > split {x'::l') nil {x' -.-.V) "^^^ ' □ 

We conclude this section with a proposition that presents additional properties 
of lists that we have derived in FOX^^ , though we omit the derivations here. 

Proposition 2.7. The following formulas are derivable in FOX^^ using the 
definition T>{list(T)): 

Wl{list I D VZiV/2(spJit llih^ {list h A list I2))) 
Vli{list k D V/2(iist h ^ '^l{split I h h D list I))) 

\/l{list I D yii\/l2{split I li I2 D {yx{element x li D element x l)A 

\/x{element x I2 element x I)))) 

\/l{list I D WhWl2{split IhhD split I I2 h)) 

yi{list I D VZ23VZiV/2V/3(spJit / h I23 3 split I23 h h 3 ^li2{split 1 112 

split li2 h h))) 

\/l{list I D \fli2Vliyi2yh{split I li2 I3 D split I12 h h 3 3l23{split I h I23A 

split I23 hh))) 

\fl{list I D permute I I ) 

yi{list I D yi' {permute I I' D list I')) 

Wl{list I D Vl'yiiVl2{list I' D permute I I' D split I h h D 

3/^3^2 (permute h l[ A permute I2 ^2 ^ split I' l[ I2))) 

\/i{iist I D yi'yhyi[yi2yi'2{iist v d split ihhD split v i[ d 

permute h ![ D permute I2 I2 3 permute II')) . 
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3. THE STRENGTH OF F0\^^ 

Before proceeding to consider FOX^^ as a logic for meta-theoretic analysis, we 
comment here on how to relate FOX^^ to other logical systems. 

First, we show that FOX^^ captures the theorems of an intuitionistic version 
of Peano's arithmetic (IPA) using a definition consisting of one clause for equality. 
The formulas of IPA are those of a first-order logic with equality using the same 
logical connectives as those in FOX'^^ and the same symbols z for zero and s for 
successor. The axiom schemes for IPA can be grouped into the following collections. 

(1) Axioms for first-order intuitionistic logic. 

(2) Axioms for equality: reflexivity, symmetry, transitivity, and substitution. 

(3) The two formulas 

\fx\/y{s x = syDx = y) and Vx(z — s x Z)-L) . 

(4) The axioms of induction: all formulas of the form 

(p{z) A yj{(p{j) D (p{sj)) D yx(p{x) , 

where (p{x) ranges over formulas with at most the variable x free. 

There are two inference rules for IPA: Modus Ponens allows the formula B to be 
inferred from the formulas A D B and A, while Universal Generalization allows the 
formula VxB to be inferred from B. A list of formulas Ci, . . . , C„ {n > 1) is an 
IPA derivation if for every i G {1, . . . , n}, Ci is either an axiom or is the conclusion 
of modus ponens or universal generalization from formulas in the list Ci, . . . , Ci-i. 
We write h^pa C if C is the last formula of an IPA derivation. 

In order to map an IPA formula, say B, to a FOX^^ formula, say {B)°, we 
must adjust for typing. The single sort used in IPA formulas will be mapped to 
the type nt, and all instances of quantifiers in IPA formulas must be qualified 
using the nat predicate: that is, {\/x.B)° — \/x.nat x D {B)° and {3x.B)° — 
3x.nat X A {B)°. Predicates in IPA will be mapped to the corresponding predicates 
in FOX"^^ similarly adjusted for type. Let 'D{eq) be the definition consisting of 
the one clause: 

We now sketch a proof that ^ipa C implies that [C)° has a FOX^^ derivation 
using 'D(eq). The proof is by induction on the length of IPA derivation. The axioms 
of intuitionistic logic are derivable in FOX'^^ since it is complete for intuitionistic 
logic (the rules for definition and natural numbers are not needed). The axioms 



for equality are derivable using the definition rules with 'D{eq) (as noted in Girard 



1992| and schroeder-Heister [1993]). The two formulas concerning z and s are also 
derivable using the definition rules. The only remaining axiom that needs to be 
considered is that for induction in IPA. Let (j}{x) be a formula with at most x free 
and let (t)°{x) be the translation of that formula into FOX^^ . We then need to 
prove that the sequent 

— > 4)°{z) A \/j{nat j D 4)° [j) D <p°{sj)) D \/x{nat x D (f>°{x)) 
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is derivable in FOX^^ . Using the inference rules DTZ, WTZ, and cC, the derivability 
of this sequent can be reduced to the derivability of the sequent 

0°(z) A Vj(nati D 0°(j) D ^° (s j)), nat I , nat I ^ c^°{I) , 

where / is a new eigenvariable. Consider now deriving this sequent with natC, 
using the induction predicate 

Xw. ((/)°(z) A yjinatj D D (/)°(s j)) A nat w) D . 

The three premises of this instance of natC are now easily derived. 

Second, it may be possible to base the logic FOX^^ on classical instead of 
intuitionistic logic. Since FOX^^ is intended to formalize informal mathematical 
reasoning about computation, such a choice might well be interesting and useful, 
although none of the many example applications we have explored require leaving 
intuitionistic logic. We do not explore a classical version of FOA^"^ here and simply 
point out that if the classical variant satisfies a cut-elimination property, a proof of 
that fact does not seem to be a straightforward generalization of the proof given in 



McDowell [1997t and [McDowell and Miller [2000 1. 

Finally, we add a word about how FOX^""^ can be used to reason about compu- 
tation. Subsets of intuitionistic logic, such as herditary Harrop formulas or Horn 
clauses can be used to specify computation using goal-directed derivation search 



[ Miller et al. 1991 1. The logic FOX'^^ , which is much stronger than these subsets, 
can be used to reason about logic programs in the following fashion. Let V be, 
for example, a Horn clause program and let G be some goal formula (a formula 
composed of conjunctions, disjunctions, and existential quantifiers) such that there 
is goal-directed derivation of the sequent V — > G in intuitionistic logic. That 



derivation is also a cut-free intuitionistic logic derivation | Miller ct al. 1991 [. Thus 
the sequent — > G has a cut-free derivation in FOX'^^ using V as a definition 
(given the restrictions on G and V, there are no occurrences of the defC and natC 
inference rules in such a derivation) . Now assume that we have also a derivation in 
pQ ^ATN ygjjjg 7? as a, definition of the sequent G — > G', for some goal formula G'. 



Using the cut-elimination theorem for FOX"^^ (Proposition 1.1), we know that the 
sequent — > G' has a cut-free derivation in FOX"^^ using P as a definition. Since 
induction is encoded as a left-introduction rule, it is easy to see that the resulting 
derivation does not contain occurrences of induction. Similarly, there can be no 
occurrences of the defC rule. Hence, we can conclude that V — > G' will have an 
intuitionistic logic derivation as well as a goal-directed derivation. Thus, informally, 
we can conclude that if G D G' is derivable in FOX^^ and there is a computa- 
tion proving G, then there is computation proving G'. Hence, implications in the 
stronger logic can be used to show that the existence of certain computations can 
lead to the existence of other computations. For example, as we have mentioned in 



Proposition 2.7, the formula 

yi{iist I D yhyhispiit ihhD split i h h)) 

can be derived in FOX^^ using V{list{T)). If we also assume that we are given 
three lists Lo,Li,L2 such that list Lq and split Lq Li L2 follow from 'D{list{T)) 
(considered as a Horn clause logic program), then the above argument can be used 
to show that split Lq L2 Li must also follow from that logic program. 
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Part II: LOGIC REPRESENTATIONS FOR META-THEORETIC ANALYSIS 

Since FOX^^ contains quantification at higher-order types and term structures 



involving A-terms, it easily supports higher-order abstract syntax. Eriksson |1993] 
demonstrated the use of his finitary calculus of partial inductive definitions (which 
is similar to FOX'^^) for the specification of various logics and type systems us- 
ing higher-order abstract syntax. Our goal is to go a step beyond that and also 
reason within FOX^^ about the object systems. As we set about to do so, we 
encounter some difficulties in reasoning about higher-order abstract syntax specifi- 
cations within the specification logic and develop strategies for surmounting those 
difficulties. 

We begin the first section of this part by presenting the usual higher-order ab- 
stract syntax representation of intuitionistic logic and illustrating the problems 
alluded to above. We then proceed through several modifications of this encoding 
which improve our ability to perform meta-theoretic analyses, although at some loss 
of the benefits of higher-order abstract syntax. In Section || we further illustrate 
these encoding techniques through two examples involving fragments of intuitionis- 
tic and linear logic. The specifications of these two logics will also be used in Part 
III as part of an alternative strategy for formal reasoning with higher-order abstract 
syntax that retains the full benefits of this representation style. We conclude the 
present part with a section discussing related work. 

To keep our discussion succinct, we do not prove the adequacy of the encodings 
presented in Section ^. The skeptical reader is referred to the discussion of similar 
encodings in the literature: see Section ^ for references. The two encodings of 
Section ^, however, play a key role in our work, and so we do include adequacy 
theorems for these. 

4. A SPECTRUM OF ENCODING STYLES 
4.1 Natural deduction-style encoding 

In order to examine our ability to reason about higher-order abstract syntax en- 
codings in FOX^^ , we present a definition of first-order intuitionistic logic. For 
brevity we will restrict our discussion here to a fragment of the logic containing im- 



plication and quantification. The full logic is considered in McDowell [1997], though 
the remaining connectives do not provide any additional insight. We use the type i 
for terms of the object logic, the type atm for atoms (atomic propositions) and the 
type prp for general propositions; we also introduce the following constants: 

( ) : atm prp Ai ■ ^ P^'P) ^ P^'P 

^ : prp prp prp \/ ^ : {i prp) prp . 

The constant ( ) coerces atoms into propositions: object-level predicates will be con- 
stants that build meta-level terms of type atm. The constant ^ represents the im- 
plication connective and /\^ and Vi encode universal and existential quantification 
at type i. Notice that we are using the A-abstraction of FOA'^'^'s term language 
to represent the variable binding of the two object logic quantifiers. As a result, 
a-equivalence of quantified object logic formulas follows from the a-equivalence 
of A-bound terms in FOX"^^ , and substitution for object logic variables can be 
accomplished by /3-reduction at the level of FOX'^^ terms. 
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prove (B => C) 


C 


prove B D prove C 


prove f\. B 


C 


WiX prove {B x) 


prove \/ . B 


c 


3iX prove {B x) 


prove C 


c 


3b{prove (b C) A prove b) 


prove (B X) 


c 


prove /\ . B 


prove C 


c 


3b{prove \J ^ b A {3iX prove {bx) D prove C)) 



Derivability in the object logic is encoded via the predicate prove of type prp o; 
the usual higher-order abstract syntax encoding of this predicate is the theory shown 



in Table IV. Here we use C for reverse implication in the meta-logic; the first clause, 



for example, can be rewritten as 

(prove B D prove C) D prove {B ^ C) . 

The first three clauses correspond to the introduction rules for natural deduction; 
the remaining three correspond to the elimination rules. 

Although this encoding mirrors the rules for natural deduction, we may view 
it as an encoding of the sequent calculus, with the derivability of the sequent 
Bi, . . . , Bn — > C represented by the FOX'^^ formula 

prove i?i D • • • D prove i?„ D pi'ove C . 

This is in keeping with the higher-order abstract syntax principle of using spec- 
ification logic hypotheses to represent contexts (in this case, the left side of the 
sequent). The structural rules (exchange, weakening, and contraction) follow im- 
mediately from this representation; for example, the derivation for weakening is 

-, init 

prove c, prove o — > prove c ^ 



— > prove c D (prove b D prove c) 

^^^^^^^^^^^^^^ V7^ . 

— > \/byc{prove c D (prove b D prove c)) 

We use double horizontal lines to represent multiple applications of an inference 
rule. In this case, both the D TZ rule and the \/TZ rule are applied twice. The 
admissibility of the cut rule, encoded by the formula 

ybyc{{prove b D prove c) D prove b D prove c) , 

also follows easily from the D C rule. The right rules are the same as the corre- 
sponding introduction rules, and the left rules are easily derived from the clauses for 
the corresponding elimination rules. The left rule for /\^, for instance, is encoded 
by the FOX^^ formula 

\fb\fc(3x{prove (bx) D prove c) D (prove /\^b Z) prove c)) , 

whose derivation is evident from the clause for the elimination rule for /\^. 

However, this encoding is not appropriate for meta-theoretic analysis of object 
logic derivations. To do such analysis in FOX^^ , we need to be able to perform 
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Table V. Sequent calculus encoding of intuitionistic logic 



concf (A) 


A 


hyp (A) 


conC(^s I) {B C) 


A 


hyp B D cone J C 




A 


\/iX cone J (B x) 


conc(s I) Vi ^ 


A 


3iX cone J (B x) 


conc^g jj D 


A 


3b3c{hyp (fe c) A {hyp c D conCf D) A concj b) 


conc(s /) C 


A 


3b(hyp /\.b A (ViX hyp (bx) D concj C)) 


conC(s I) C 


A 


3b{hyp \J ^ b A (3iX hyp (bx) D concj C)) 



induction over the derivations. Recall that in Section 2.2 we used the natural 
number measure in the length predicate to derive an induction principle for lists. 
But there is no apparent way to add a natural number induction measure to the 
prove predicate because of the clause for the ^ introduction rule. This reflects the 
fact that this clause gives rise to a non-monotone operator; this is generally true 
of the types and theories in higher-order abstract syntax encodings, and makes 
inductive principles diflicult to find. We would also like to change the specification 
into a definition so that we can use the defC rule for the analysis of derivations. 
Simply replacing the C in each clause by = is problematic for two reasons. First, 
the clause resulting from the introduction rule for would not satisfy the level 
restriction for any level we might assign to prove. Second, the clause resulting from 
the elimination rule for /\^ would have a problematic head. There are too many 
ways that {B X) can match and unify with other terms; this makes the practical 
application of the deflZ and defC rules difficult and would result in many cases that 
are not productive. 

4.2 Sequent calculus-style encoding 

We can solve the problems with the encoding of the introduction rule for by 
introducing separate predicates 

hyp : prp — s- o cone : nt — > prp — > o 

for the left and right sides of the sequent, respectively. The predicate hyp will not 
be a defined predicate, and so can have level zero. The negative occurrence of prove 
in the introduction clause for =J> becomes an occurence of hyp, so the predicate cone 
can then have level one. This also makes possible the assignment of a measure to 
cone, as suggested by its type. To emphasize that the first argument to eonc is a 
measure, we will write it as a subscript. The problem introduced by the elimination 
clause for /\ - is avoided by patterning the encoding after the sequent calculus rules 
rather than natural deduction rules. The resulting definition is shown in Table 
The first clause encodes the initial axiom, the next three correspond to the right 
introduction rules, and the remaining three correspond to the left introduction 
rules. 

Since we have not changed the representation of quantification, we get a-equival- 
ence of quantified object logic formulas and substitution for object logic variables 
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from the relevant features of FOA^'^ as before. We are still using FOX"^^ hypothe- 
ses to represent contexts, so the structural rules also follow as before. However, the 
admissibility of the cut rule, now encoded as 

yb\/c{3i{hyp b D conci c) D 3i conCi b D 3i conCi c) , 

is no longer immediate: there is no simple proof of 3i conCi b — > hyp b. We 
expect, though, that the admissibility of cut is still derivable in FOX^^ following 



the method of Pfenning [1995 



This encoding has another limitation; to see it, consider the following example. 
Suppose we know that the sequent & a — > a is derivable in intuitionistic logic 
for some atom a and proposition b. Since a is atomic, the derivation must end 
with a left rule, and since the only formula on the left is 6 =^ a, it must be the left 
implication rule. Thus there are derivations of 6 =J> a — > b and a,b ^ a — > a. 
This second sequent is not so interesting, since it is an initial sequent. So we have 
shown that if & a — > a is derivable then b => a — > b is as well. 

Now let us try to capture this reasoning in FOX^^ using our current encoding 
of intuitionistic logic. We want to derive the sequent 

— > \^ayb{3i{hyp {b ^ (a)) D cone, (a)) D 3j{hyp {b ^ (a)) D concj b)) . 

After the obvious uses of \/TZ and D TZ, we get 

3i{hyp [b ^ (a)) D conCi (a)) — > 3j{hyp [b (a)) D conCj b) . 

From our informal reasoning, we know that the derivation of b will have a smaller 
measure than the derivation of a; thus in applying the 3C and 3TZ rules it is 
conservative to substitute i for j: 

hyp [b ^ (a)) D conCi (a) — > hyp {b ^ (a)) D conCi b . 

To follow the informal proof, we now want to indicate that hyp (6 (a)) D 
conCi (a) must be true by the definitional clause encoding the left rule. However, 
we cannot apply the defC rule to this formula, since it is not an atom. The closest 
thing to this that we can do is to eliminate the D and then apply defC to conCi (a) . 
We can eliminate the D by using D TZ and then D C, yielding the two sequents 

hyp {b ^ (a)) — > hyp {b ^ {a)) 

conCi {a), hyp (6 =^ (a)) — > conCi b . 

The first is immediate by the init rule. Applying the defC rule to conCi (a) in the 
second sequent yields four sequents corresponding to the cases where the derivation 
of a ends with the initial rule or any of the three left rules: 

hyp (a), hyp (6 =^ (a)) > conCi b 



3b'3c'{hyp (b' ^ c') A {hyp c! D confy (a)) A confy b'),hyp {b ^ (a)) 



3b' {hyp Ai b' A (V^x hyp {b' x) D cone,, {a))), hyp {b ^ (a)) — > conC(^si') b 
3b'{hyp Vi b' A (3^2; hyp {b' x) D conCj/ {a))), hyp {b ^ (a)) > conci^si') b . 
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Table VI. Explicit sequent encoding of intuitionistic logic 



seqj L {A) 


A 


element {A) L 






seq(s I) L (B ^ C) 


A 


seqj {B::L)C 








A 


V,;x seqj L {B x) 






seq(s /) L C\/ . B) 


A 


3iX seqj L {B x) 






scq(s I) L D 


A 


3b3c{element {b 


c) L A seqj (c 


■.L) D A seqj L b) 


seq(s I) LC 


A 


Elfe(eJement /^j b L 


A 3iX seqj {{b 


x)::L) C) 


seq(s I) LC 


A 


3b{element \/ ^ b L 


A \fiX seqj {{h 


x)::L) C) 



This is clearly not what we want. Even in the case corresponding to the left ^ rule 
we do not know that the rule was applied to the implication b ^ (a). There are 
really two problems here. The first is that hyp [b (a)) D conci (a) expresses the 
idea that b => (a) is a hypothesis available in the derivation of conci (a) , but it does 
not capture the idea that it is the only hypothesis available. Thus the defC rule 
forces us to consider derivations ending with the initial rule or any of the left rules, 
since the appropriate formula may be available as a hypothesis. The second problem 
is that we do not have any way to examine the different ways of deriving something 
from a specific set of hypotheses. Although the formula hyp {b (a)) D conCi (a) 
indicates that the atom a is derivable from the hypothesis b ^ (a), we cannot 
examine how that derivation might take place. All we can do is use the D C rule, 
which says that we know that the hypothesis b =^ (a) is available and so can 
conclude that a holds. 

4.3 Explicit sequent encoding 

To remedy this situation, we explicitly represent the entire sequent in a single 
atomic judgement. As a result, the relevant object logic hypotheses are known 
to be exactly those listed in the judgement, and the defC rule can be applied to 
the judgement to examine how the corresponding sequent might be derived. Thus 
derivability is encoded via the predicate 

seq : nt — )■ prplst — > prp — > o . 

The first argument is an induction measure and will be displayed as a subscript. 
The second argument is a list of terms of type prp and represents the left side of 
the sequent. We will assume that prplst is the same as the type 1st introduced in 



Section 2.2, using prp for the type of elements. In particular we will assume that we 
have constructors nil and ::, and a predicate element as defined in V (list (prp)). The 
third argument to seq corresponds to the right side of the sequent. The definition 



for this predicate is shown in Table Vl 



Since we have not changed the representation of quantification, we get a-equival- 
ence of quantified object logic formulas and substitution for object logic variables 
from the relevant features of FOX^^ as before. We are no longer using FOX^^ 
hypotheses to represent contexts, however, so the structural rules must now be 
derived by induction. The admissibility of the cut rule must also be derived by 
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induction, as was the case with the previous encoding. With the atomic encoding 
of sequents, we now can analyze derivations of propositions from hypotheses. To 
see this, we revisit the example from above. To formalize this example with the 
encoding of Table VI , we derive the sequent 

— > VaV&(3i seq, {{b ^ (a)) ■.■.nil) (a) D 3j seq^ {{b ^ {a))::nil) b) . 

Applying the V7^, D??,, and 3£ rules yields the sequent 

seq^ ((6 (a)) ■.■.nil) (a) — > 3j seq^ ((6 =^ {a))::nil) b . 

Now we apply the defC rule to the judgement on the left, which yields four sequents, 
again corresponding to the cases where the derivation of a ends with the initial rule 
or any of the three left rules: 

element (a) {{b ^ {a))::nil) — > 3j seq {{b (a)) ■.■.nil) b 



3b'3c' {element {b' ^ c') {{b ^ {a))::ml) A 
seQj/ {c'::{b^ (a)) ■.-.nil) (a) A 

seq,, ((6 ^ (a)) ■.■.nil) b') — > 3j seq^ {{b {a)) ■.■.nil) b 

3b'ielement /\^b' {{b =^ {a})::nil) A 

3iX seq^, {{b' x)::{b ^ {a)) ■.■.nil) (a)) — > 3j seqj {{b (a)) ::iij7) b 

3b' {element V, b' {{b ^ (a)) ■.■.nil) A 

ViX seqj, ((6' x)::{b ^ {a))::nil) (a)) — > 3j seqj {{b (a)) ::iij7) b . 

But this time we can easily eliminate three of the four possibilities, since the eie- 
ment assumption is obviously false. In the first sequent, for example, we have the 
assumption element (a) {{b => (a)) Since (a) cannot unify with (b ^ (a)), 

(a) cannot be the first element of the list; therefore it must be an element of the 
remainder. But the remainder is the empty list, so (a) cannot be an element of it 
either. This is accomplished formally by applying the defC rule twice: 

defC 



element (a) nil — > 3j seqj {{b =^ {a)) ■.■.nil) b 
element (a) ((6 =^ (a)) ■.■.nil) — > 3j seqj {{b (a)) -.-.nil) b 

The remaining cases are done similarly, except for the one valid case, which corre- 
sponds to a use of the left ^ rule: 

36'3c'(eiement {b' ^ c') {{b ^ (a)) ■.■.nil) A 
seqj, {c'::{b=^ {a)) ■.■.nil) (a) A 

seqj, ((5 =^ (a)) ■.■.nil) b') — > 3j seq^ {{b => (a)) ■.■.nil) b . 

In this case, b' =^ c' does match the first element of the list, so we must consider 
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the case where the left rule was apphcd to {b =^ (a)): 



T, seQj/ ((6 (a)) ■.■.nil) b — > 3j . . . clement (b' => c') nil, . . . — > 3 j . . . 



element {b' ^ 


■C) {{b- 




■■■■nil),scq^, {{b 


^{a))::nil) b' ^ 3j . . . 




element {b' 


^c') .. 


.A... 


, clement [b' =^ 


■ c') . . . A . . . >3j... 


element (&' ^ 


c') {{b = 


Ha)): 


■.■.nil) A... > 


3j seqj {{b => {a)) ■.mil) b 





. . . — > 3j seQj {{b =^ (a)) ■.■.nil) b 
But the unproved sequent is easily derived by choosing j to be i': 



Now let us consider another example. Suppose we know that the sequent 



is derivable in intuitionistic logic for some predicate constant p and some terms 
ti, t-2, and ^3- The derivation must end with applications of the right rules for f\ 
and =>, since these are the only rules that apply. Thus we know that the sequent 
pyiti,p 7/2 ^2 — > P 2/2 ^3 is derivable. Since p is a predicate constant, these formulas 
are all atomic, so the only rule that applies is the initial rule. The eigenvariable 
condition for the application of the right rule for /\ guarantees that yi and t/2 are 
distinct, so the initial rule must apply to the second hypothesis. Therefore, it must 
be the case that t2 and ts are the same term. 

Now let us try to capture this reasoning in FOX^^ using our current encoding 
of intuitionistic logic. To do this, we will need some way to indicate term identity, 
and so we introduce the predicate = of type i ^ i ^ o defined by the clause 
X = X = T. We then want to derive the sequent 

— >VpVtiVi2Vt3(3i seQi nil Ai 2/1 Ai y2((pyi ^i) ^ (^2/2^2) (pVits)) D t2 = is). 

The only way to proceed is by applying and D TZ, yielding 

3i seQi nil A, Vi Ai 2/2((pyi h) ^ {py2 ^2) ^ {py2 ts)) — >t2 = U ■ 

There is nothing more that we can do on the right, since the definitional clause for 
= does not apply. Applying 3C gives us the sequent 

seQj nil |\^ yi /\. y2{(pyi h) (py2 i2) {py2 is)) — > i2 = is • 

Now we want to reason about the derivation of Ai Vi AiV2 ■ ■ ■ to conclude that 
i2 = is. In the informal proof, we reasoned that this derivation must end with the 
right rule for Ai we do the same thing here using defjC, which yields the sequent 

Vt/i seQi^ nil Ai y2((P2/i ii) ^ (py2i2) ^ (py2i3)) — >t2=ts , 

as well as three other sequents corresponding to the cases where the object logic 

derivation ends with the application of one of the left rules. Since these latter three 
sequents represent cases that are not applicable, they are easily derivable as shown 
in the previous example; we thus focus on the sequent shown above. Before we can 



T,scqj, ((& => (a)) ■.■.nil) b — > scq^, {{b ^ {a}) ■.■.nil) b 



init 



T,seqj/ ((6 =^ (a)) ■.■.nil) b — > 3j seq^ ((6 =J> {a)) ■.■.nil) b 



3n . 
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proceed to apply defC again for the second use of the right rule for /\, we must 
first apply V£, which requires supplying a substitution term for yi. For this proof, 
it doesn't matter what term we use for jji , as long as it is something that docs not 
unify with the term we supply for 2/2- So let xi and X2 be two distinct, non-unifiable 
terms of type i. If we use xi for yi, and then apply defC and V£ again using X2 for 
y2, we get 

seQj^ nil {{pxi ti) {px2 ^2) =^ (px2 is)) — > t2 = is • 

We now apply dcfC two more times, each of which corresponds to reasoning that 
the object logic derivation must proceed with a use of the right rule for This 
yields the sequent 

scq,^ {(px2 12) ■■■■{px-i ti) ■.-.nil) {px2 is) — > i2 = is • 

Another application of defC reflects the fact that in the object logic derivation only 
the initial rule now applies: 

element {px2 is) {{px2 i2) "{pxi ii) "nil) — > i2 = is • 

For {px2 is) to be the first element of the list, i2 and is must be the same, and this 
is what we want to prove. We have chosen xi and X2 to be terms that do not unify, 
so (px2tz) cannot be the other element of the list. This reasoning is represented 
formally by the FO\^^ derivation 

T 1 T element (px2 is) nil — > i2 = is 

defR \ \, T^ rr— r defC 



T — »• i2 = i2 element {px2 is) {{pxi ii) ::nil) — > i2 = is 

element {px2 is) i{px2 i2) " {pxi ii) ::nil) — > i2 = is 

If we arc able to construct the two non-unifiablc terms xi and X2, we arc able 
to conduct this analysis in FOX^^ . But the need for these two terms is rather 
disturbing. The informal proof is independent of the type of yi and 2/2 and the 
term structiirc of this type. In fact, the informal proof is valid even for a type that 
is uninhabited; this is obviously not the case for our representation in FOX'^^ . 
The problem is that our representation of object-level quantification in terms of 
pQ^ATN quantification doesn't allow us to examine a derivation that is generic over 
certain terms. Although the formula Vy seqj L [B y) indicates that the proposition 
By is derivable from the hypotheses in L for any y, it does not indicate that the 
derivation is the same for all y, and we cannot examine that derivation generically. 
All we can do is use the V£ rule, which requires us to substitute a specific term for 
y, and then examine the derivation for that specific term. This is analagous to the 
problem we encountered before related to the encoding of object logic implication 
in terms of FOX^^ implication. 

4.4 Explicit eigenvariable encoding 

To solve this problem we must explicitly keep track of the eigenvariables introduced 
by the quantifier rules. We do not wish to abandon, however, our higher-order 
abstract syntax representation of quantification. In the earlier encodings of this 
section, we encoded the rules for object logic quantification using FOX^^ quantifi- 
cation; the key idea of our solution is to replace that use of FOX^^ quantification 
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with the use of FOX^^ A-abstraction. If we follow this idea naively and simply 
replace the quantification by A-abstraction, we get the following encoding of the 
right rule for /\: 

seq^s J) L (/\ ■ B) = Xx seqj L {B x) . 

This does not work, of course, since the body of this clause now has type i o 
instead of type o. To address this problem, it is important to first realize that as 
more eigenvariables are added and propositions are moved between the left and 
right sides of the sequent, we must deal more generally with "judgements" of the 
form 

Xxi . . . Xxn seqj {Lxi . . . Xn) {B Xi . . . Xn) 

for arbitrary n > 0. First consider "uncurrying" this expression by replacing the A- 
abstractions over xi, . . . , x„ by a single A-abstraction over the n-tuple (xi, . . . , 

Xx.seqi {L (tti x) . . . (7r„ x)) (B (tti x) . . . (7r„ x)) . 

Now we can deal with the arbitrary n by replacing the n-tuple with a list, and using 
fst X in place of tti x, fst (rst x) in place of 772 x, fst (rst (rst x)) in place of x, 
etc. Finally, we push the A-abstraction into the seq predicate by changing its type: 

seq : nt — > (cvs — > prplst) (evs — > prp) —^ o . 

Here evs is a new type representing a list of eigenvariables. We have already seen 
the two operators on this type, fst: evs i and rst evs evs; fst I represents the 
first eigenvariable in the list /, and rst I represents the remainder of the list. The 
right rule for /\ is now encoded as follows: 

seq(s 7) L {XI A, x{B Ix)) = seqj {XI' L{rst I')) {XI' B {rst I') {fst I')) . 

The bound variable I' in the body of the clause should be thought of as a list whose 
length is one longer than the length of the bound variable / in the head of the clause; 
fst I' represents the new eigenvariable, and rst I' represents the eigenvariables in I. 
The left rule for is similarly modified: 

seq^g/) L C ^ 3b{element {Xl\/ ^x{bl x)) L A 

seq^ {XI' {b {rst I') {fst l'))::{L {rst I'))) {XI' C {rst I')) . 

The remainder of the clauses are only modified to reflect the change in the type 
of seq. Note in particular that FOX^^ quantification can still be used in the 
encodings of the left rule for /\ and the right rule for V; since these rules do not 
introduce eigenvariables, this use of FOX'^^ quantification is not problematic. The 
type of the predicate element also changes: 

element : (evs — > prp) —^ {cvs prplst) o . 



Table VI] presents the definition for the entire logic. 

Since we have not changed the representation of quantification, we get a-equi- 
valence of quantified object logic formulas and substitution for object logic bound 
variables from the relevant features of FOX'^^ as before. Substitution for eigen- 
variables is a little more involved, as shown by its encoding via the predicates 

subst : nt —> {evs —>■ i) {evs ^ i) — > {evs —>■ i) o 

substQ : nt — *■ (evs evs — ^ i) — + (evs evs ^ i) ^ {evs evs i) ^ o . 

ACM Transactions on Computational Logic, Vol. TBD, No. TBD, TBD TED. 



Reasoning with Higher-Order Abstract Syntax 
Table VII. Explicit eigenvariable encoding of intuitionistic logic 



25 



seqj L XI {{Al)) = element XI {(Al)} L 

seq^g L XI {{B I) ^ {C I)) = scqj XI {{B I) :: {L I)) C 

seq(s L {XI /\ . x{B I x)) = seqj {XI' L {rst I')) {XI' B {rst I') {fst I')) 
seqjg L {XI \J ^ x{B I x)) = 3x seqj L {XI Bl{xl)) 

seq^s J) L D = 3b3c{element XI {{bl) {cl)) L A 
seqj XI {{cl)::{Ll)) D A 
scqj L b) 

s^<3{s /) LC = 3b{element {XI /\^x{b I x)) L A 

3x seqj XI {{bl {x I)) -.-. {L I)) C) 
seq^s j-^ L C = 3b{element {XI \/ ^ x{b I x)) L A 

scqj XI' {{b {rst I') {fst I')) :: {L {rst /'))) (AZ' C {rst I'))) 

element X XI {{XI):: {LI)) = T 

eJement X XI {{Y 1)::{L I)) = clement X L 



Table VIII. Encoding of substitution for eigenvariables 

subst / Ti T2 = substo I {XI' Ti) {XI' T2) {XI' T^) 

substo z Ti {XI' XI T2 I' {fst I) {rst I)) {XV XIT2I' {TiV I) {rst I)) 
^ T 

substo (s /) {XI' XI Ti I' {fst I) {rst I)) 

{XI' XI T2 V {fst I) {rst I)) {XI' XI I' {fst I) {rst I)) 

= substo I {XI' XI Ti {rst I') {fst I') I) 
{XI' XI T2 {rst I') {fst I') I) {XI' XI {rst I') {fst I') I) 



The judgement subst i ti t2 t'2 indicates that is the result of substituting ti in 
t2 for the {i + 1)'^ eigenvariable. We could just as easily use the actual encoding 
(fst (rst* I)) of the {i + 1)"^ eigenvariable in place of its index, but we find it more 
convenient to use the index so that we can perform induction on it. (Here we use 
{rst^ I) for n applications of rst to I, i.e., {rst° I) is I, {rst^ I) is (rstl), {rst^ I) is 
{rst{rstl)), etc.) The substo predicate is used in the definition of subst; the extra 
evs argument is used to keep track of eigenvariables at the beginning of the list as we 
search down the list for the substitution variable. The encoding of these predicates 
is shown in Table VIII. Substitution for the first eigenvariable can be done directly; 
to substitute for the {i + 2)"^ eigenvariable we move the first eigenvariable from the 
list I to the list I' and substitute for the {i + 1)*'^ eigenvariable of I. 

As with the previous encoding of intuitionistic logic, we must derive the admis- 
sibility of the structural rules and the cut rule by induction. We have retained the 
atomic encoding of sequents, so we can still analyze derivations of propositions from 
hypotheses. In addition, the explicit encoding of eigenvariables allows us to better 
analyze derivations of generic propositions. To see this, we revisit the example from 



ACM Transactions on Computational Logic, Vol. TBD, No. TBD, TBD TED. 



26 • R. C. McDowell and D. A. Miller 



before; the sequent we wish to derive is 

— > VpVtiVf2Vi3(3i seQi XI nil {XI /\. yi /\. y2{(pyi h) ^ (j>y2 ^2) ^ {py2 ^3))) D 

t2 = is) • 

As before, we begin by applying the V7?., D TZ, and 3jC rules to obtain the sequent 
seQi XI nil {XI Aj Vi Ai yi{{pVi h) ^ {py2 i2> ^ {py2 h))) — >t2 = h ■ 

The derivation of the object logic formula f\yi f\y2 ■ ■ ■ must end with two applica- 
tions of the right rule for /\; we formalize this by applying de£C twice, which results 

in the sequent 

seq,^ XI nil XI {{p {fst {rst I)} ti) {p {fst I) ^2) ^ {p {fst I) h)) t2 = h ■ 

The object logic derivation must proceed with two applications of the right rule for 
=>; we deduce this formally by two more applications of the def£ rule, yielding 

seqi, XI {{p {fst I) t2) ■■■■ {p {fst {rst I)) ti) ■.-.nil) XI (p {fst I) is) — > i2 = is • 

An additional use of the defC rule corresponds to the realization that the initial 
rule must complete the object logic derivation, giving us the sequent 

element XI {p {fst I) is) XI {(p {fst I) 12) " {p {fst {rst I)) ii) ::nil) — > i2 = is • 

If {p{fst Z)is) is the first element of the list, then t2 and are the same, which is 
the result we are trying to establish. The formula (p {fst /) is) cannot be the other 
element of the list, because the first argument to p differs; thus we are done. This 
is all formally encoded by the derivation 



T ,Y T7^ element XI (p {fst I) is) {XI nil) — > i2 = is 

defJZ 



T — >t2=t2 element XI {p {fst I) is) XI {(p {fst {rst /)) ii) :: niJ) — > i2 = is 

element XI (p {fst I) is) XI {{p {fst I) 12) :: {p {fst {rst I)) ii) ::nil) — >t2 = t~, 

where the three inference rules without labels are defC. 
4.5 Discussion 

Before going on to formally derive theorems about encodings of logics, let us reflect 
on the encoding styles we have discussed. What we have is a spectrum of styles, 
all of which share the same higher-order abstract syntax encoding of formulas, but 
which vary in the degree to which they use the higher-order abstract syntax en- 
coding of inference rules. The first encoding used the typical higher-order abstract 
syntax techniques, which made a number of significant properties of the object logic 
fall out easily from the properties of FOX'^^ . Unfortunately this encoding did not 
lend itself to formal analysis within FOX'^^ , since it could not be expressed as 
a definition nor given an induction measure. We then progressed through three 
other encodings, each of which compromised the use of higher-order abstract syn- 
tax a bit more. The cost of each compromise was a decrease in the elegance and 
an increase in the complexity of the encoding, and a reduction in the extent to 
which fundamental properties of the object logic followed from corresponding prop- 
erties of FOX'^^. The benefit, of course, was a greater ability to perform formal 
meta-theoretic analysis. 
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In Part III we will discuss an approach which lets us use the typical higher- 
order abstract syntax encodings and also perform meta-theoretic analyses on these 
encodings. The key to this approach is the use of a specification logic that is 
separate from FOX"^^ , and in fact is itself specified in FOX"^^ . In the next section 
we present two logics which will be used for this purpose, and which also serve as 
examples of the last two encoding techniques discussed in this section. 



5. REPRESENTATION AND ANALYSIS OF LOGICS 

In this section we illustrate the use of the some of the encoding techniqu es ju st 
presented. In Section 5.1 we use the expHcit sequent technique of Section 4.3 to 



encode a fragment of intuitionistic logic; Section 5.2 discusses a fragment of linear 
logic encoded with the explicit eigenvariable technique of Section 4.4. In each case 
we prove the adequacy of the encoding and also derive in FOX"^^ some properties 
of the object logic. 

5.1 Intuitionistic logic 

Consider the fragment of second-order intuitionistic logic given by the grammar 

D ::= A \ G^A \ A^x.D \ A^^^x.D 
G ::= A \ tt \ GkG \ A^G \ /\^x.G , 

where A ranges over atomic formulas and a ranges over ground types. D and 
G represent definite clauses and goal formulas, respectively. Although this seems 
like a rather simple fragment, higher-order abstract syntax encodings generally fall 
within the set of definite clauses given by this grammar. Full intuitionistic logic 
could be used here instead, but its encoding is larger and that increase does not 
contribute to the set of examples that we wish to use here. The set of goal formulas 
can be encoded using the following constants: 

( ) : atm prp & : prp prp prp /\^ : (i — > prp) prp 

tt : prp ^ : atm — > prp — > prp . 

Notice that the antecendent of the implication is restricted to be atomic. 

If we take any sequent calculus inference rule and restrict the conclusion to be a 
sequent whose antecedents are definite clauses and whose consequent is a goal for- 
mula, then the premises will also be sequents of this form. In fact, any antecedent 
in the premises will either be an antecedent of the conclusion or an atomic formula. 
Thus in a derivation in this fragment of intuitionistic logic, all non-atomic an- 
tecedents in any sequent of the derivation appear as antecedents in the end-sequent. 
So we can divide the antecedents into the original theory, which remains constant 
throughout the derivation, and some atomic antecedents, which vary throughout 
the derivation. Leaving the fixed theory aside for the moment, we can restrict our 
sequents to have only atomic antecedents: 

seq : nt — > atmlst — > prp — > o , 



where atmlst is the same as the type 1st introduced in Section 2.2, using atm for 
the type of elements. Since the antecedents are atomic, only the initial and right 
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rules are necessary: 

seqj {A'::L) (A) = clement A (A'y.L) 

A _ 

seqj L tt = T 
seq^s j-j L {B Sz C) = seqj L B A seqj L C 
seq(s J) L {A^ B) = seqj {A::L) B 
seq(s7) L (Aj B) ^ ViX seqj L {B x) . 

We now turn to consider the set of definite clauses that make up the theory for the 
derivation. Notice that the atomic formula A is equivalent to the formula tt A, so 
every definite clause can be written in the form /\ xi ■ ■ ■ /\ Xn{G ^ A) . In addition, 
the logic under consideration is a subset of the logic of hereditary Harrop formulas. 
As a result, for any derivable sequent there is a uniform derivation of that sequent 



[Miller 1990; Miller et al. 1991|. In our setting, a derivation is uniform if every 



subderivation ending in a left rule is of the form 



r ^ , . . . ; t„/xi , . . . , x„] A\r~^A' 

{G ^ A)[ti, . . . ,tn/xi, . . . ,XnlT A' 

Axi---;\xniG^A),r-^A' 

where A' and A[ti, . . . , t„/xi, . . . , Xn] are the same. If we group these steps together, 
our aggregate left rule encoding needs to say that seq^g j-^ L {A') holds if and only if 
there is a clause /\xi ■ ■ ■ /\xn{G ^ A) in the theory such that A can be instantiated 
to match A' , and seqj L G' holds, where G' is the corresponding instantiation of 
G. We use the predicate 

prog : atm prp o 
to encode the theory. The fact that the definite clause /\xi ■ ■ ■ /\Xn{G ^ A) is in 
the theory is represented by the definitional clause prog A G = T; the quantification 
of the definite clause is encoded by the (elided) quantification of the definitional 
clause. The encoding for the aggregate left rule is 

seq(s L (A) = 3b{prog Ab A seqj L b) ; 

notice that the matching between A and the head of the definite clause is accom- 
plished by the definition rules. Different object-level theories can be considered by 
varying the definition of prog, as illustrated in Part III. The object-level formu- 
las encoded using prog are treated by the object logic as a theory and not as a 
definition: there is no rule corresponding to FOX^^'s defC in the object logic. 

We will refer to the six clauses for seq given in this section as V{intuit). For 
convenience we will abbreviate the formula 3i{nat i A seq^ LB) as L\> B (or as I>i3 
when L is nil) . We now state the following properties about this presentation of the 
object logic. If i? is a term of type prp, then let {[B]) be its (obvious) translation 
into a formula of intuitionistic logic. If L is a term of type atmlst, let {[L]) be its 
(obvious) translation to a multiset of atomic formulas of intuitionistic logic. 

Theorem 5.1 Adequacy of Encoding Intuitionistic Logic. Let'D{prog) 
be the definition {V5;i[prog Ai Gi = T], . . . , Va;„[prog An Gn = T]} (n > 0) which 
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represents an object-level theory, and let V he the corresponding theory in intuition- 
istic logic (i.e., the set of formulas /\ a;i(([Gi]) ^ i^i])), for all i ^ {1, . . . , n} ). Let 
V be a definition that extends T>{nat) U 'D(list{atm)) U 'D{intuit) U 'D{prog) with 
clauses that do not define nat, seq, element, or prog. Then the sequent — > L \> B 
is derivable in FOX^^ with definition V if and only if l[B\ is an intuitionistic 
consequence of ([LJ) U V. 

Proof. The reverse direction follows easily from the definition T){intuit). For 
the forward direction, the use of the deflZ rule with 'D{intuit) will cause the struc- 
ture of the FO\^^ derivation to closely follow that of the corresponding derivation 
in intuitionistic logic. However, we need to be sure that the natC and defC rules 
don't allow us to derive anything that we can't derive in intuitionistic logic. In fact, 
we can show that a cut-free derivation of — > L t> B will consist only of sequents 



with empty antecedents McDowell 1997]. Thus the natC and defC rules are not 



used, since they both require a formula in the antecedent. □ 

The following theorem states that we can derive in FOX'^^ that the specializa- 
tion rule, the cut rule and the usual structural rules (exchange, weakening, and 
contraction) are admissible for our object logic. 

Theorem 5.2 Admissibility of Rules for Intuitionistic Object Logic. 
The following formulas are derivable in FOX^^ using the definition 

V{nat) U V{list{atm)) U V{intuit) : 

Specialization Rule: 

Wiyb\/l{nat i D seq(si) I f\^b D Vxseqj I {bx)) 

Cut Rule: 

VaV6V/((a::0 3 I > (a) D I > b) 

Structural Rules: 

yiVbVNl' {nat i D ^ a{element a I D elemental') D seq^lb 3 seq^l' b) 
5.2 Linear logic 

Now consider the fragment of second-order linear logic given by the grammar 

D ::= A \ G^A \ G^A\ A^x.D \ A^^^x.D 
G ::= A I tt I G&G | A -o G | A^G \ /\^x.G , 

where A ra nges over atomic formulas and a ranges over ground types. As in 



Section |5T|, D and G represent definite clauses and goal formulas, respectively. 



The constants encoding these connectives have the same types as the corresponding 



constants used in Section 5T ; the new constant — o has type atm prp prp. 

We again separate the antecedents of sequents in a derivation into a theory, which 
remains constant throughout the derivation and is encoded via a predicate prog, 
and some atomic antecedents, which vary from sequent to sequent in the derivation 
and are shown explicitly in the sequent. The atomic antecedents are further divided 
into linear and intuitionistic antecedents: 

seq : nt {evs — > atmlst) — * {evs atmlst) {evs prp) — > o . 
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Table IX. Explicit eigenvariable encoding of lists 



length nil* z 


A 


T 


length (A::*L) (s /) 


A 


length L I 


Jist L 


A 


3i{nat i A length L i) 


element A {A::* L) 


A 


T 


element A {A' ::* L) 


A 


element A L 


split nil* nil* nil* 


A 


T 


split {A::* Li) {A::* L2) L3 


A 


split Li L2 L3 


split (A::*Li) L2 (A::*L3) 


A 


split Li L2 L3 


permute nil* nil* 


A 


T 


permute (A::* Li) L2 


A 


3l22{split L2 {A::* nil*) I22 A permute Li I22 ) 



The second and third arguments to seq represent multisets of intuitionistic and 
hnear antecedents, respe ctiv ely. Notice that we follow the explicit eigenvariable 
encoding style of Section 4.4 by encoding the antecedents and consequent as func- 
tions whose domain is a list of eigenvariables. We could use the explicit sequent 
technique to encode linear logic and still prove the adequacy and admissibility the- 
orems of this section. However, in Part III we will use the linear logic encoding 
of this section as a specification logic; the proof of the unicity of typing theorem 
in Section ^ uses meta-theoretic analysis that is not possible if we use the explicit 
sequent technique here. This also gives us the opportunity to provide a detailed 
illustration of the explicit eigenvariable encoding style. In order to highlight both 
the similarities and differences between our current encoding and the encoding of 
Section 5.1, we will use a number of abbreviations; we introduce the first of these 
now. For any type r, we will use r* as an abbreviation for evs —^ r. Thus the type 
of seq above can be expressed as 



seq : nt — > atmlst* —>■ atmlst* 



prp 



We must modify the definition 'D{list{T)) from Section 2.2 to work over the type 
1st* . The predicates will now have the following types: 



length 
list 
element 



nt 



1st* 
1st* o 

T* 1st* 



split : 1st* 
permute : 1st* 



1st* 
1st* 



1st* 
o 



The new definition V{list* (t)) is shown in Table IX; we use nil* and A ::* L as 
abbreviations for XI nil and XI {{A 1)::{L I)). 

We similarly introduce abbreviations corresponding to constructors of prp*: (A)* 
abbreviates XI {Al), tt* abbreviates XI tt, B &l* C abbreviates XI {{B I) & (CI)), 
A^* B abbreviates XI {{A I) -o {B I)) , A =^* B abbreviates XI {{Al) ^ (Bl)), and 
/\* B abbreviates XI {f\x{B I x)). 

Any definite clause in our fragment of linear logic is equivalent to a formula of 
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Table X. Explicit eigenvariable encoding of linear logic 



spn, IL (A ■■* nil*) M\* 


A 




seqj (A :: IL) ml [Aj 


A 


element [Aj (A :: IL) 


seq(s/) IL LL (A)* 


A 


3ll3il (list 11 A list il A prog A 11 il A 




spJit_seqj IL LL 11 A split^seqj IL nil* il) 


seqj IL LL tt* 


A 


T 


seq(s ^) IL LL {B &* C) 


A 


scqj IL LL B A scqj IL LL C 


seq^g /) IL LL {A -o* B) 


A 


seqj IL (A::* LL) B 


seq^s jj /L LL (A =►* B) 


A 


seqj (A::* IL) LL B 


seq(s /L LL (A* B) 


A 


seqj {XI IL {rst I)) {XI LL [rst I)) {XI B {rst I) (fst; /)) 


split^eqj IL nil* nil* 


A 


T 


split^eqj IL LL {B ::* L) 


A 


3lli3ll2 {split LL Ih Ih A 






seqj IL ll\B A spJit_seqj IL II2 L) 



the form 

f\xi ■ ■ ■ l\xk{Bi ^ ■■■Bm ^Ci-o---Cn-oA) , 
for some k,m,n > and goal formulas i?i , . . . , Bm , Ci , . . . , C„ . Uniform derivations 



have also been shown to be complete for this logic |Hodas and Miller 1994 1; thus 
we use the predicate 

prog : atm* prplst* — > prplst* —^ o 

to encode the set of definite clauses that make up the theory. The first argument 
represents the atomic head of the definite clause; the second and third arguments 
represent the lists Ci , . . . , C„ of linear hypotheses and Bi , . . . , Bm of intuitionistic 
hypotheses, respectively. The quantification of the definite clause is again encoded 
by the (elided) quantification of the corresponding definitional clause for prog. 
Notice that the quantified variables of the definitional clause should be able to 
match terms containing object-level eigenvariables and so should have type i* (for 
first-order variables) or {i ^ i)* (for second-order variables). On the other hand, 
the definite clause itself should be closed, so the constants fstr and rst (used to 
encode eigenvariables) should not occur in the corresponding definitional clause. 
The predicate 

split-seq : nt — > atmlst* atmlst* prplst* o 

will be used to express the idea that the propositions in the last argument are 
derivable from the intuitionistic and linear antecedents in the second and third 
arguments. Each linear antecedent must be used exactly once in the derivation of 
all propositions in the last list. 

The inference rules for this logic are encoded in the definition V{linear) of Ta- 
ble which defines the predicates seq and splitseq. The third clause in the def- 
inition says that an atomic formula A is derivable from intuitionistic antecedents 
IL and linear antecedents LL if there is a definite clause in the object-level theory 
whose head is A, whose linear hypotheses are derivable from the antecedents IL 
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and LL, and whose intuitionistic hypotheses are derivable from the antecendents 
IL. The other definitional clauses in Table ^ are similar to those in the explicit 



eigenvariable encoding of intuitionistic logic given in Section 4.4, but modified to 
reflect the linearity constraints. In the clause for /\^ we subscript the constant 
fst with the type i because we also need a constant fsU^i : evs ^ i — > i for the 
representation of second-order eigenvariables in definite clauses. As in the previous 
section, different object-level theories can be considered by varying the definition 
of prog; an example theory will be given in Part III. For convenience we will ab- 
breviate the formula 3i{nat i A seq^ IL LL B) as IL\ LL > B (or as \>B when IL 
and LL are nH*). If i? is a term of type pip and L is a term of type atmlst, then 
let ([-B]) and ([L]) be their translations into a formula of linear logic and a multiset 
of atomic formulas of linear logic, respectively. 

Theorem 5.3 Adequacy of Encoding Linear Logic. Fix a FO\^^ sig- 
nature whose only constants with types involving evs are fsti, fsti—>i, and rst. Let 
Vlprog) be the definition 

{VyiiprogAi LLi ILi ^ T], . . . , Vj/„ [prog A„ LL„ /L„ ^ T]} 

(n >0), where the quantified variables in the list yi each have type i* or (i — > i)* , 
and the constants fstr and rst do not occur in Ai, LLi, or ILi, for aZ/ i G {1, . . . , n}. 
Let V be the theory in linear logic that corresponds to 'D{prog), and let V be a 
definition that extends 'D{nat) WDllist* (atm)) U'D{list* (prp)) UT){linear) U'D{prog) 
with clauses that do not define nat, length, list, element, split, split^seq, prog, or 
seq. Finally, let IL: atmlst* , LL: atmlst* , and B:prp* be terms that do not contain 
occurrences of the constant fsti^i . Then the sequent — > IL; LL [> B is derivable 
in FOX^^ with definition V if and only if the sequent V, ^IL]); ^LL]) — > {[_B]) is 
derivable in linear logic. 

Proof. We can restrict our attention to uniform derivations in linear logic. 



since they are complete for this fragment of linear logic [Hodas and Miller 1994]. 
As before a cut-free derivation of — > IL; LL [> B will consist only of sequents with 
empty antecedents. Thus the definition of seq will ensure that the structure of the 
pQj^ATN (derivation will closely follow that of the corresponding derivation in linear 
logic. The proof of the forward direction goes by induction on the structure of 
the FOX^^ derivation, and the reverse direction by induction on the structure of 
the linear logic derivation. In general each case follows easily from the induction 
hypothesis. A more detailed proof of this theorem, including a definition of the ([]) 



translations, can be found in McDowell [1997 1. □ 



We now present the theorems that we have derived in FOX^^ about our object 
logic. In order to express and prove these theorems, we need additional predicates 
for operations related to the evs parameter. The predicates 

subst : nt i* T* ^ T* ^ o 
substQ : nt — > i** r** — > r** o 

will be used to represent substitution for eigenvariables; this is a simple general- 



ization of the predicate of Section 4.4 to allow substitution in expressions of an 



arbitrary type r. The type r** should be understood to mean (r*)*, i.e., an ab- 
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Table XI. Encoding of eigenvariable operations 

substlTXX' = substo I {Xl'T) X) {XI' X') 

substo zT {XI' XI X I' {fst I) (rst I)) {XI' XI X I' (T I' I) {rst I)) 
^ T 

substo {si) (XI' XI T I' (fst I) {rst I)) 

{XI' XI X I' {fst I) (rst /)) (XI' XI X' I' {fst I) (rst I)) 

= substo / {XI' XIT {rst I') {fst I') I) 

(XI' XI X (rst I') (fst I') I) (XI' XI X' {rst I') (fst I') I) 

extend^evars I X X' = extend_evarso / (XI' X) (XI' X') 

extend.erarso z {XI' XI XI' I) {XI' XI X I' (rst I)) 
^ T 

extend.evarso (s /) (AC Ai X Z' (fst (rst Z)) (XI' XI X' I' (fst I) (rst I)) 

= extend.evarso I {XI' XI X (rst I') (fst I') I) 
(XI' XI X' (rst I') (fst I') I) 



brevation for (evs — > evs — > r) . We will also use the predicates 

extend-evars : nt ^ t* t* o 
extend-evarso : nt r** r** o 

to add a new eigenvariable to the list at an offset. Thus extend-evars i x x' 
indicates that x' is the result of adding a new eigenvariable in x at the (i + 1)*'' 
position in the list; the eigenvariables that previously occupied positions (i + 1) or 
greater are shifted to one position later in the list. These predicates are defined in 



the definition V{evars{T)) of Table XI. We will also need an version of 'D{list{T)) 
to work over the type 1st**; it is similar to ^{list* {t)) and we will refer it as 
V{list**{T)). 

Since we want our theorems about the object logic to be independent of any 
particular object logic theory, we need to include some assumptions about the 
predicate prog. Specifically, we will need to know that if an atom matches the head 
of a clause in the theory, then if we substitute for an eigenvariable in the atom or 
extend the list of eigenvariables, then the resulting atom will still match the head 
of the clause. We encode these assumptions as the following two formulas: 

ViVtVaVa'V/ZViZ(iiat i Z) prog a II il D subst i t a a' Z) 

3ll'3il' {prog a' II' il' A subst i t II W A subst i t il il')) , 

which we will refer to as P subst , and 

\/i\fa\fa'\/ll\/il{nat i D prog a II il Z) extend-evars i a a' D 

3ll'3il' {prog a' II' il' A extend-evars i II IV A extend_evars i il il' )) , 

which we will refer to as P extend- The theory should not contain occurrences of 
eigenvariables, so the definition of prog should not contain occurrences of ist or rst. 
If this is the case, then P subst and P extend will be derivable in FOX^^ . 

The following theorem states that we can derive in FOX'^^ that the specialization 
rule, the cut rule, and the usual linear logic structural rules are admissible for our 
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object logic. We refer to the definition 

V{list* (atm)) U V{list* (prp)) U V{list** (atm)) U V{list** {prp)) 
as 'D[lists) and the definition 

'D{evars{atm)) U 'D{evars{prp)) U 'D{evars{atmlst)) U 'D{evars{prplst)) 
as 'D{evars). 

Theorem 5.4 Rule Admissibility for Linear Logic. The formulas below 
are derivable in FOX^^ using the definition V{nat)UV{lists)UV{evars)L)V{linear): 
Speciahzation Rule: 

Psubst — ^ 

"ii\/b\/il'ill{nat i D listil D list II D 

seq^s j) il II /\* b D Vxseqj il II (bx)) 

Cut Rule: 

yaybyiMi{iist il d Ustii d 

{a::*il);ll[>b D il; nil* [> {a)* D il;ll[>b) 

Structural Rules: 

yaybyiMMhyihilist il d Ustll d split ll Ik Ih D 

il]{a::*lli)\>b D il; II2 t> (a)* D il;ll\>b) 

yiVbViNil'yiNll'inati D listil D listil' D listil D 

\/a{element a il D element a il') D permute II II' D 
seqj il II b D seq^ il' W b) 

6. RELATED WORK 

In this part of the paper we have presented several different encodings of logics; for 
each we discussed the extent to which reasoning about the encoded logic can take 
place within the meta- logic FO\^^ . None of the encoding techniques is completely 
original, but their ability to support formal meta-theoretic analysis is a relatively 
new concern. 



The natural deduction-style encoding of Section 4.1 is the prototypical repre- 
sentation style of higher-order abstract syntax. For example, the seminal paper 
on the Edinburgh Logical Framework (LF) [ Harper et al. 1993| encodes first-order 



and higher-order logic in this manner and proves the adequacy of these encodings. 
The issue of meta-theoretic analysis of the encodings within the meta-logic is not 
addressed there. 

The use of separate predicates for formulas on the left and right sides of the 



sequent, as was done in Section 12, is also common. Pfenning [ 1995 |, for exam- 
ple, uses this representation style to encode structural cut-elimination proofs for 
intuitionistic, classical, and linear logics. The induction cases of these proofs are 
represented in Elf, so some amount of reasoning about the encoded logics is done 
in the meta-logic. However Elf does not itself contain any support for induction, so 
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the completeness of the cases must be checked outside of the formal framework us- 



ing techniques such as schema checking [Pfenning and Rohwedder 1992; Rohwedder 
and Pfenning 199^ . Miller | |1996 | uses both this sequent style of encoding and the 



natural deduction style. The two encodings are used to show that natural deduction 
and sequent calculus presentations of minimal logic have the same theorems. The 
proof of this result combines informal reasoning with formal reasoning in a linear 
logic meta-logic. 



Section 4.3 presented an encoding of logic which encoded the derivability of a 



sequent in a single predicate. This style of encoding was used in an early paper on 



the use of higher-order abstract syntax Miller and Nadathur 1987 1. That paper 



focuses on an operational interpretation of such a specification, however, and does 
not discuss the potential for reasoning about the encoded logic in the meta-logic. 



The idea of representing free variables as a list, discussed in Section 4.4, was first 



used in the context of higher-order abstract syntax by Despeyroux and Hirschowitz 



1 1994 1 . Their intent was to develop a way to use higher-order abstract syntax within 
the setting of the inductive definition facility of Coq. A key difference between their 
technique and ours is that they use both constructor and deconstructor operators 
for lists in the context of an equality theory. The encoding of the right rule for 
universal quantification in that setting might look like the following: 

seq(s/) L {\l f\^x{B {consxl))) = seq^ {W L{istl')) B . 

Within terms, bound and free variables are accessed by selecting the appropriate 
element from the list. In our simpler setting (without an equality theory) we use 



unification to get by with only deconstructors for variable lists. The paper Despey 



roux and Hirschowitz [1994 1 was the first attempt to fully support formal reasoning 
about higher-order abstract syntax encodings within a meta-logic. Their examples 
involved encodings of simply-typed A-terms, so we will discuss their work further 
at the end of Part III. 

Part III: OBJECT LOGICS AS SPECIFICATION LOGICS 

In this part we consider reasoning about higher-order abstract syntax encodings of 
programming languages. We could choose one of the representation strategies used 
for logics in the previous part; instead we adopt a different strategy that allows us to 
use the traditional higher-order abstract syntax representation to its full advantage 
and still reason formally about the encoded system. The key to accomplishing 
this is to not specify the programming language directly in FO\^^ ^ but in a small 
object logic that is itself specified in FOX'-^^ . In this way we can reason in FOX^^ 
about the structure of object logic sequents and their derivability. 

The use of object-level sequents may seem at first a rather drastic step to take 
to embed the kind of hypothetical judgements common with higher-order abstract 
syntax into a meta-logic. Such a representation is, however, used in various areas 



of programming language semantics. For example, Mitchell, in his textbook |1995], 
uses typing judgements of the form T t> M : a and performs induction over their 
(sequent-style) derivation. This separation of the (object) specification logic from 
the meta-logic [FOX^^) in which reasoning is performed also reflects the usual 
structure of informal reasoning about higher-order abstract syntax encodings. 
In the next section we motivate this approach through an informal proof of sub- 
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ject reduction for the untyped A-calculus. We proceed in Section ||to formalize this 
proof by encoding the static and dynamic semantics for untyped A-terms in the 



intuitionistic object logic of Section 5.1. We also list a variety of other theorems 
about the language that we have derived in FOX^^ . The remainder of the sec- 
tion extends the encoding to the Programming language of Computable Functions 
(PCF) [ pcott 1969t. In Section | we consider an encoding of PCF with references 
(PCF:^) ]Gunter 1992( | in the linear object logic of Section m. Finally, Section |lO| 



compares the framework of this part with other research in formal reasoning about 
higher-order abstract syntax encodings. 

7. MOTIVATION FROM INFORMAL REASONING 

In order to motivate our framework for reasoning about higher-order abstract syn- 
tax encodings, we consider a specification in intuitionistic logic of call-by-name 
evaluation and simple typing for the untyped A-calculus. We introduce two types, 
tm and ty, to denote object-level terms and types. To represent the untyped A- 
terms we introduce the two constants abs of type (tm tm) —^ tm and app of 
type tm — > tm — > tm to denote object-level abstraction and application, respec- 
tively. Object-level types will be built up from a single primitive type using the 
arrow type constructor; these are denoted in the specification logic by the constants 
gnd of type ty and arr of type ty ^ ty ^ ty. 

To specify call-by-name evaluation, we use an infix predicate JJ. of type tm —>■ 
tm — > o and the two formulas 

/\ r{{abs r) JJ. (abs r)) 
/\ TO /\ 71 /\ w /\ r((77i Jl (abs r) & (r n) Jl w) ^ (app to n) Jl w) . 

To specify simple typing at the object-level, we use the binary predicate typeof 
of type tm ^ ty — > o and the two formulas 

/\ m /\ n /\ t /\ u{{typeof to (arr ut) k, typeof nu) ^ typeof (app m n) t) 
/\r /\t /\u{/\x{typeof X t ^ typeof {rx)u) typeof {abs r) (arr t u)) . 

Proofs that these two predicates correctly capture the notions of call-by-name eval- 
uation and of simple typing can be found in various places in the literature: see. 



for example, Avron et al. [1992| and Hannan [199C] 



Now consider the following subject reduction theorem and its proof. We use h 
here to represent derivability in intuitionistic logic from the above formulas encoding 
evaluation and typing; we omit displaying these formulas on the left of the turnstile 
to simplify the presentation. 

Proposition 7.1. // h P JJ. F and h typeof P T, then h typeof V T. 

Proof. We prove this theorem by induction on the height of the derivation of 
P JJ. y . Since P J|. F is atomic, its derivation must end with the use of one of the for- 
mulas encoding evaluation. If the J|. formula for abs is used, then P and V are both 
equal to abs P, for some R, and the consequent is immediate. If P i^V was derived 
using the J|. formula for app, then P is of the form (app M N), and for some R there 
are shorter derivations of M J| (abs R) and (RN) J| V. Since P is (app M N), 
typeof P T must have been derived using the formula encoding the typing rule for 
app. Hence, there is a f7 such that h typeof M (arr U T) and h typeof N U. Ap- 
plying the inductive hypothesis to the evaluation and typing judgements for M, we 
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have h typeof (abs R) {arr U T). This atomic formula must have been derived using 
the typeof formula for abs, and, hence, h f\x{typeoi x U =^> typeof (Rx) T). Since 
our specification logic is intuitionistic logic, we can instantiate this quantifier with 
N and use cut and cut-elimination to conclude that h typeof [R N) T. Applying 
the inductive hypothesis to the judgements for (RN) yields h typeof V T. □ 

This proof is clear and natural, and we would like to be able to formally capture 
proofs quite similar to this in structure. This suggests that the following features 
would be valuable in our framework: 

(1) Two distinct logics. One of the logics would correspond to the one written 
with logical syntax above and would capture judgements, e.g., about typability and 
evaluation. The second logic would represent a formalization of the English text 
in the proof above. Atomic formulas of this second (meta-) logic would encode 
judgements in the first (object) logic. 

(2) Induction over at least natural numbers. 

(3) Instantiation of meta-level eigenvariables. In the proof above, for example, 
the meta-level variable P was instantiated in one part of the proof to (abs R) 
and in another part of the proof to (app AI N). Notice that this instantiation of 
eigenvariables within a proof does not happen in a strictly intuitionistic sequent 
calculus. 

(4) Analysis of the derivation of an assumed judgement. In the proof above this 
was done a few times, leading, for example, from the assumption 

h typeof {abs R) (arrUT) 

to the assumption 



h f\x {typeof X U typeof {Rx) T) 



The specification of typeof allows the implication to go in the other direction, but 
given the structure of the specification of typeof this direction can also be justified 
at the meta-level. 

In our framework, we accommodate the first feature by specifying an object logic 
within the meta-logic FO\^^ , as illustrated in Part II. The natC rule of FOX^^ 
provides natural number induction. The last two features are accommodated by 
the definition facilities of FOX^^ , in particular the defC rule. We demonstrate our 
approach in the remaining sections of the paper, beginning with a formalization of 
the example from this section. 

8. REPRESENTATION AND ANALYSIS OF A FUNCTIONAL PROGRAMMING 
LANGUAGE 

8.1 The language of untyped A-terms 

We first demonstrate our approach to formal reasoning about higher-order abstract 
syntax encodings using the example of untyped A-terms. This encoding will be 
similar to the one used to motivate the framework in the preceding section. The 
object logic used will be the fragment of second-order intuitionistic logic encoded 



by the definition V {intuit) of Section 5.1 
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Table XII. Object logic encoding of typing and evaluation of untyped A-terms 

prog {typeof (abs R) (arr T U)) /\ n{{typeofn T) {typeof (Rn) U)) 

prog (typeof (app M N) T) {typeof M (arr U T)) & (typeof N U) 

prog ((abs R) ij. (abs R)) tt 

prog ((app M N) ^i. V) {M ^H- (abs R)) &z ((R N) i}. V) 

prog ((app (abs R) M) ^ (RM)) tt 

prog ((app M N) (app M' N)) (M ^ M') 

prog (M ~>* M) tt 

prog (M N) (M M') & (M' ~>* A^) 



The required constants to represent A-terms are abs : {itm itm) itm and 
app : itm itm itm] for simple types (over one primitive type) we need gnd: ity 
and arr.ity ity ity Since both types and terms in the language are rep- 
resented by the object logic type i, we have added subscripts tm and ty. These 
subscripts should not be considered part of the encoding, but are added to improve 
the readability of these declarations. 

Our object logic predicate representing typability is denoted by the FOX^^ 
constant typeof of type itm ity — ^ atm. The predicates for natural semantics 
and transition semantics are denoted by the constants JJ-i and '^*, all of type 
itm — >■ itm — > atm. The object logic specifications for these are the usual ones, 



written in the L\ subset of higher-order logic J Miller 1991 ] and are th ose com 



mon to specific ations written in, say, AProlog Hannan and Miller 1992 1 and Elf 



[Pfenning 1989 1. This object-level specification is represented in FOX^^ as the 



definition 'D{lambda) shown in Table XII. (We have dropped the = T body of 



these clauses.) This definition can be interpreted in a logic programming fashion 
to compute object-level simple type checking and call-by-name evaluation in both 
structural operational semantic and natural semantic styles. Call-by-value is just 
as easily represented and used. 

The following theorem lists the properties of the untyped A-calculus that we 
have derived in FOX'^^: determinacy of semantics, equivalence of semantics, and 
subject reduction. The FOX'^^ derivations closely follow the informal proofs of 
these properties. 

Theorem 8.1. The following formulas are derivable in FOX'^^ from the defi- 
nition that accumulates ^{nat), T>{list{atm)), ^{intuit), ^{lambda) and the clause 
X = X = T defining the predicate =: i ^ i ^ o. 

Determinacy of semantics: 

VmVmiVm2([>(TO J| rni) D [>(to J]. 777,2) ^ = ^72) 
\fm\/mi\/m2{t> {m ^ mi) D 0(777,^ 7772} D 7r7i = 7772) 
V777VriVr2(t>(777 ^* (absri)) D 0(777^* (absr2)} D (absri) = (abs r2)) 

Equivalence of semantics: 

V777Vr(l>(777 J| (absr)) D 0(777-^* (absr))) 
VmVr(l>(777 ^* (absr)) D [>(r77 J| (absr))) 
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Subject reduction: 

yrriin{\>{m J| n) D 'it{\> {typcof m t) D t>{typeofn t))) 
ym\/n{t>{m ^ n) D 'it{\> {typeof m t) D t>{typeofn t))) 
\fmyn{[>{m ^* n) D \/t{c> {typeof m t) D \>{typeofn t))) 

Proof. We show the derivation of the first subject reduction property, which is 



a formahzation of Proposition 7.1 



We wish to show that evaluation preserves types: 

— > VpVw(t>(p Jj. w) D 'it{\>{typeofp t) D >{typeofv t))) . 

(We have changed the names of the quantified variables to agree with those in the 
informal proof.) Applying the VTZ, dTZ, 3C, cC, and AC rules to the above sequent 
yields 

nat i, seqj nil {p J| v), [>{typeofp t) — > \>{typeof v t) . 

(Recall that t>(p J| w) is an abbreviation for 3? (cat i A seq^ nil (p J| w)).) 

As in the informal proof, we proceed with an induction on the height of the 
derivation of p JJ- which is represented here by i. We will use the derived rule for 
complete induction (Proposition 2^) and our induction predicate will be 

AiVpVwVt(seqj nil (p J| w) D t>{typeofp t) D t>{typeofv t)) , 

which we will denote by IP. The derivation of the conclusion from the induction 
predicate applied to i is trivial, so it only remains to derive the induction step 

natj,\fk{nat kD k < j D (IPk)) — > {IP j) . 

We use the \/TZ and D TZ rules to obtain 

nat j,yk . . . , seqj nil (p ij, v), [>{typeofp t) — > l>{typeof v t) . 

In the informal proof we use the fact that the derivation of the atomic formula 
p ^ V must end with the use of a clause from the specification of evaluation. We 
deduce this formally by applying the defC rule to seq^ nil (p J]. w), which yields 

nat {s jo),yk . . . , 3b{prog (p J| w) 6 A scq^Q ^^'-^ ^{typeofp t) — > \>{typeoIv t) . 

We next apply the 3£, c£, and f\C rules, and then apply the defC rule to prog {p J| 
v) b which yields the two sequents 

nat {s jo),Wk . . . ,seqj^ nil tt,l>{typeof {abs r) t) — > \> {typeof [ahs r) t) 



nat (s jo),yk . . . , seq^-^^ nil (m J| (abs r)) & {{r n) w), 

\> (typeof {app m n) t) — > \> {typeof v t) . 

This use of the defC rule corresponds to the case analysis of the formula used to 
derive p i}- v. As in the informal case, the abs case (represented here by the first 
sequent) is immediate. The derivation of the second sequent, representing the app 
case, begins with the use of the defC, cC, and AC, bringing us to the sequent 

nat (s^ ji), Vfc . . . , seq^-^ nil (m J| (abs r)), seq^^ nil {{r n) -l| w), 

\> {typeof {app m n) t) — y \> {typeof v t) . 
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(We use the term ji as an abbreviation for s (sji).) 

The informal proof continues with an analysis of the derivation of 

typeof (app m n) t . 

Again we accomplish this through two uses of the defC rule, the first to indicate 
that the derivation must end with the use of a specification clause, and the second 
to determine the applicable clauses. In this case there is only one applicable clause, 
so we are left to derive the sequent 

. . . , nat (s Jq), seqji^ nil {typeof m {arr u t)) & {typeof n u) — > [> {typeof v t) . 

Additional uses of the de£C, cC and f\C rules bring us to the sequent 

. . . , nat (s^ jj), seqy nil {typeof m {arr u t)), 

seq^/ nil {typeof n u) — > t> {typeof v t) . 

In the informal proof we now apply the induction hypothesis to the evaluation 
and typing judgments for m. We accomplish this here by applying the appropriate 
left rules to the elided induction hypothesis Vfc . . .. This requires the derivation of 
the five sequents 

nat (s^ ji), . . . — > nat ji nat (s^ ji), ... — > ji < (s^ ji) 

. . . , seq^^ nil {rn J| (abs ?■)), . . . — > s^Qji nil (m JJ. (abs ?■)) 

. . . , nat (s^ jj), seq^/ nil {typeof m {arr u t)), . . . — > [>{typeof m {arr u t)) 

nat (s^ ji), Vfc . . . , seq^^ nil {{r n) \\^v), 
t> {typeof {abs r) {arr u t)), 
nat {s^ seq.y nil {typeof n u) — > \>{typeofv t) . 

The first two of these represent the fact that the measure of the evaluation deriva- 
tion for rn is a natural number that is smaller than the measure of the original 
evaluation derivation for p. By Proposition 2.4 these are derivable in FO\^^ from 
V{nat). Th e th ird sequent is immediate, and the fourth also follows easily from 
Proposition 2.4 . 

The derivation of the fifth sequent proceeds with another two applications of the 
defC rule, corresponding to the analysis of the proof of typeof (abs r) {arr u t) in 
the informal proof. This yields the sequent 

. . . , nat (s Jq ), seq^// nil f\ x{{typeof x u) =^ {typeof {r x) t)), 

... — > l> {typeof V t) . 

This is followed by applications of the defC and \fC rules to give us 

. . . , nat {g^ j"), seq^-// {{typeof n u) -.-.nil) {typeof {rn)t),... — > [> {typeof v t) . 

The informal proof proceeds with a use of the cut rule, and here we use the derived 
object-level cut rule (Theorem 5.2) with the elided assumption seq^v nil {typeof n u) 
to obtain 

. . . , nat (s^ j"), seq^// {{typeof n u)::nH) {typeof {r n) t), 
. . . — > {{typeof n u) ■.-.nil) O {typeof {rn) t) 
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, nat {s^ j'l), seqji^ nil {typeof n u) — > [> (typeof n u) 
. . . , [> {typeof {r n) t) — > \> {typeof v t) . 



2.4 



The first two of tliese follow easily from Proposition 

The informal proof concludes by applying the induction hypothesis to the eval- 
uation and typing judgments for (rn). Again we accomplish this by applying the 
appropriate left rules to the induction hypothesis V/c . . ., which requires the deriva- 
tion of the five sequents 



nat (s^ ji) 



nat ji 



nat (s^ji) — > ji < (s^ji) 



, seqj^ nil {{rn)])-v),... — > seqj^ nil ((r n) JJ. v) 

. . . , \> {typeof {r n) t) — > t> (typeof (r n) t) 

. . . , \> {typeof V t) — > t> {typeof v t) . 

and the last three are all imme- 



The first two sequents follow from Proposition 
diate. □ 



8.2 



A language for computable functions 

We now extend the encoding of the static and dynamic semantics for untyped A 
terms from the previous section to the programming language PCF [ 3cott 196£ ] 
The necessary FO\^^ constants for PCF types are 



num : ity 


bool 


: ity 




arr : 








Those for PCF terms are 
















zero : itm succ 


'^tm 


'^tm 


if 


■ ^tm 


^ '^tm ^ 


'^tm ^ 




true : itm pred 


'^tm 




abs 


■ ity 


^ {Uni 


'^tjn) ~ 


~^ ^im 


false : itm is-zero 


'^tm 




app 


■ '^tm 


'^tm ^ ^ 












rec 


■ ity 


{Hm 







We have again labeled the type i with subscripts to improve the readability of these 
declarations. The first argument to abs and rec represent the PCF type tag for the 
variable bound by the abstraction and recursion constructs. 

The object logic predicates representing typability and evaluation are denoted 



by the same FOX^^ constants as in Section K.ll, plus the additional constant 
value : itm ^ atm. The object-level speci fi catio n is r epre sented in FOX'^^ as the 
definition I?(PCF) shown in Tables XIII , KIV, and XV; we have again omitted 
the = T body of the clauses. The following theorem lists the properties of PCF 
that we have derived in FOX^^ . The type tags in PCF terms allow the unicity of 
typing to hold in addition to the determinacy of semantics, equivalence of semantics 
and subject reduction. The FOX^^ derivations again closely follow the informal 
proofs of these properties; the only exception is the derivation of the unicity of 
typing property, which we discuss below. 

Theorem 8.2. The following formulas are derivable in FOX^^ from the defi- 
nition that accumulates 'D{nat), 'D{list{atm)), ^{intuit), 27(PCF) and the clause 
X = X ^ T defining the predicate =: i i ^ o. 
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Table XIII. Object logic encoding of typing for PCF 



prog (typcof zero num) tt 

prog (typeof true bool) tt 

prog {typeof false bool) tt 

prog {typeof {succ M) num) {typeof M num) 

prog {typeof {pred M) num) {typeof M num) 

prog {typeof {is^ero M) bool) {typeof M num) 

prog {typeof (if M N-i N2) T) {typeof M bool) k {typeof Ni T) k {typeof N2 T) 

prog {typcof {abs T R) {arr T U)) f\ n{{typcof n T) => {typcof {Rn) U)) 

prog {typeof {app M N) T) {typeof M {arr U T)) k, {typcof N U) 

prog {typeof (rec T R) T) /\ n{{typeofn T) {typeof {Rn) T)) 



Table XIV. Object logic encoding of natural semantics for PCF 



prog (zero zero) tt 

prog {true ij. true) tt 

prog {false ij- false) tt 

prog {{succ M) ^ (succ V)) {M ^ V) 

prog {{pred M) i). zero) {M i). zero) 

prog {{pred M) ^ V) {M Hy {succ V)) 

prog {{isjzero M) \y true) {M \y zero) 

prog {{is-zero M) ij, false) {M ^ (succ V)) 

prog {{if M Ni N2) ii. V) {M ii. true) &c {Ni i). V) 

prog ((if M ATi W2) JJ. y) {M i). false) &z {N2 i}. V) 

prog {{abs T R) JJ. (abs T R)) tt 

prog {{app M N)ii.V) {M 4. (abs T R)) k {{R N) i). V) 

prog {{rec TR)ii.V) {{R {rec T R)) J> V) 



Determinacy of semantics: 

VrnVmiVm2(l>(TO J| mi) D >{m JJ. 7712) D mi = TO2) 
VmVmiVm2(>(TO mi) D l>(m'^ m2) D mi = m2) 
VmVwiVu2(l>(vaJue wi) D [>{m^* vi) D >(vaJuet;2) 3 >(m'^* V2) D vi = V2) 

Equivalence of semantics: 

Wrniv{\>{m J], u) D ([>(va7uc w) A t>(m ^* v))) 
\/m\fv{{> {value v) A l>(m v)) D l>(m -IJ- v)) 

Subject reduction: 

\/myn{>{m JJ- n) D \/t{c> {typeof m t) D >{typeofn t))) 
\lrris/n{t>{m n) D Vt{[> {typeof m t) D [> {typeof n t))) 
VmVn(>(m'^* n) D \/t{[> {typeof m t) D > {typeof n t))) 

Unicity of typing: 

\/m\lt-\\/t2{> {typeof mti) D \>{typeofm 12) D ti = ^2) 

The usual informal proof of the unicity of typing relics on the requirement that 
the list of assumptions in the object logic sequent contains typing assignments only 
for variables and no more than one assignment for any particular variable. Since we 
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Table XV. Object logic encoding of transition semantics for PCF 



prog 
prog 
prog 
prog 
prog 
prog 
prog 
prog 
prog 
prog 
prog 
prog 
prog 

prog 
prog 

prog 
prog 
prog 
prog 
prog 



(succ M) (succ M')) (M M') 

(pred zero) zero) tt 

(pred {succ V)) ^ V) (vaiue V) 

(pred M) {pred M')) {M M') 

{is-zero zero) ~> true) tt 

{is^ero {succ V)) false) {value V) 

(is_zero M) {is_zero M')) {M M') 

{if true M N) ^ M) tt 

{if false M N) N) tt 

{ifM Ni N2) {ifM' Ni N2)) {M ~> M') 

{app {abs TR) N) {RN)) tt 

{app M N)-^ {app M' N)) {M M') 

(rec T R)-^ {R (rcc T R))) tt 



M 

M ^ 



* M) 

* N) 



tt 



■ M') & {M' N)) 



value zero) tt 

value true) tt 

value false) tt 

value {succ V)) {value V) 

value {abs TR)) tt 



have encoded the variables of PCF as variables of our object logic, which in turn are 
encoded as variables of FOX^^ , we cannot state the first part of this requirement 



in FOX^^ . Thus our derivation (given in McDowell [1997]) must differ from the 
informal proof. In fact, we make essential use of the PCF recursion construct in 
the abs case of the derivation; for an arbitrary type u, the term (rec u (Xyy)) has 
the type u and no other type. As a result, our derivation does not generalize to 
languages without this construct. In the next section we give an encoding of an 
extension of PCF in the object logic of Section which is encoded in FOX^^ 
using the explicit eigenvariable encoding. Although this explicit eigenvariable en- 
coding makes the syntax more cumbersome, it allows the derivations in FOX'^^ to 
be more natural. This is illustrated by the fact that we can capture in FOX'^^ the 
typical proof of the unicity of typing. 

9. REPRESENTATION AND ANALYSIS OF AN IMPERATIVE PROGRAMMING 
LANGUAGE 

In this section we consider the programming language PCF—, an extension of PCF 



with state [Gunter 1992]. This language extends PCF with reference types and 
constructs for referencing, dereferencing, assignment, and sequential evaluation. 
The type (refty t) is the type of references to values of type t. If to is a term of 
type T, then (ref to) has type {refty r) and evaluates to a new memory location 
containing the value of to. If to is a term of type {refty r), then the value of to is a 
memory location, and !to has type r and evaluates to the contents of that location. 
If TO has type {refty t) and n has type r, then (to := n) has type t. The evaluation 
of (to :— n) changes the contents of the value of to to be the value of n; its value is 
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the same as the value of n. If mi and m2 have types ti and T2, respectively, then 
(mi; 7712) has type T2. To evaluate (mi;m2), we first evaluate mi, then evaluate 
m2, and finally return the value of m2. Clearly the value of a PCF— term will 
depend on the state in which it is evaluated, and the state may be modified in the 
evaluation process; thus evaluation becomes a mapping from a term-state pair to a 
value-state pair. 



To encode PCF— , we use the linear object logic of Section 5.2, since linear 



logic is well-suited as a specifi c ation logic for programming languages with state 
llCervesato and Pfenning 1996 ; Chirimar 1995 ; Miller 1996|| . For such languages, 
the order of evaluation becomes important, and so a continuation-based operational 
semantics is often used for the encoding. In a continuation-based semantics, each 
rule has at most one premise, and any additional evaluation steps are encoded 
in the continuation. This encoding of the evaluation steps into the continuation 
makes the ord er of e valuation explicit. A co ntinuation-based semantics for PCF— is 
given in Table KVI ; following Gunter [1992 1 we specify call- by- value evaluation. To 
abbreviate our presentation we omit the rules for the natural number, boolean, and 
conditional constructs; a presentation with the full language is given in McDowell 



[1997|. The semantics of Tabic XVI and their object logic encoding given below 
are a variation of those found in Cervesato and Pfenning [1996| ]. The judgement 
K h (M, a) ^ (p represents the idea that the evaluation of the term M in state a 
with continuation k results in the final answer (p. A continuation is a list whose 
elements are of the form x.M, where M is a term containing the variable x. (We 
use X instead of Xx to avoid confusion with A-abstraction in PCF—.) The answer (p 
is a pair including the final value and the final state. The judgement k h (V, a)^(f' 
indicates that passing the value V with state a to the continuation k results in the 
final answer (p. In the rules of Table XVI , c is used to range over locations (reference 
cells). In the rule for the continuation {x.ref x, k), c must be a new location, i.e., 
a location that does not occur in the state a. The expression (t[c 1— > V] represents 
the state that is the same as a except that location c contains the value V. 
To encode PCF.= , we use the constants 



refty 
cell 



ilc 



ref 
deref 



Hr. 
itr. 



assign : ttm 
sequence : itm 



in addition to the constants of Section B.2. Once again we have labeled the type i 
with subscripts to improve the readability of these declarations. The subscript Ic 
indicates that the argument to cell represents a PCF— location. 

The object logic predicate representing typability is denoted by the same FOX^^ 



constants as in Section H; its object-level specification is represented in FOX^^ as 



nil) {Bi 



the definition shown in Table XVII . Recall that prog A (Ci : : . . .C„ 
. . . Bm y.nil) represents the definite clause 

/\ x{Bi ^ ■■■ Bra =^ Ci ^ • • • C„ A) , 

where the free variables of ^, i3i, . . . , Bm, Ci, . . . , C„ are included in the list x. 
This means that to derive an instance of A, we can instead derive the corresponding 
instances of i3i, . . . , Bm, Ci, . . . , C„. To establish IL; LL\> {A), the rules of linear 
logic require that each assumption in LL be used exactly once in the derivation of 
one of the C^'s; it cannot be used in the derivation of any of the Bi's, or in the 
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h {V,a)'^{V,u) 

K h (c, a-)^(f> 
K \- (c, cr) ^ (p 

x.x := N,k\- (M, a) ^ <j> 



x.ref x,K \- (A/, a) ^ <j> 
K h (ref Af, cr) ^ </> 

K h {c,a[c ^ V])^<j) 
x.ref X, k\- (V, a)^4' 

x.V := X, K h {N, (j) ^ (f) 



x.\x, K h (A/, a) ^ <j> 
K h (!Af, cr) c-* (/) 

K h (o-(c), cr)^0 
x.!a;, K h (c, cr)^4' 



K h (Af := AT, cr) ^ </) x.x := A^, k h (V, cr)^0 x.c := x, k h (V, (t)^0 

x.x; N,k\- (M, a) ^ <j> k\- {N,a) ^ 4> 

K h {M; N,cr) ^ij> x.x;N,Kh- (y,o-)^</. 

x.x TV, K h (Af, ct) ^ </) x.y X, K h (A'', cr) ^ (/) ft h (Ax : r.Af, ct)^?^ 

ft h (Af Af, cr) '-^ x.xN,K h (V,(t)-^(/. ft h (Ax : r.Af, cr) '-^ 

ft h (Af'[y/y], (t) </) ft h (A/[rec x : r.Af /x],(7) <^ 

x.(Aj/ : r.Af') x, ft h (V, cr)^(^ ft h (rec x : r.Af , tr) ^ </> 



Table XVII. Object logic encoding of typing for PCF— terms 



prog typeot (abs* T R) (arr* T U)) 

\l{/\n{typeo{ n (Tl) =^ {typeoi(Rln) (U I))) :: nil) nil* 
prog (typeoP (app* M N) T) 

{{typeof M (arr* U T)>* ::* {typcof N U)* ■.:*nil*) nil* 
prog (typeof (rec* T R) T) 

Xl{/\n{typeofn (T I) => {typeof (Rl n) (T I))) :: nil) nil* 
prog (typeof (ref M) (refty* T)) 

(( typeof Af T) * :: * nil* ) nil* 
prog (typeof (deref M) T) 

( ( typeof M (refty* T))* ::* nil* ) nil* 
prog (typeof (assign* M N) T) 

( { typeof M (refty* T)}* :■* {typeof N T)* ::* nil* ) nil* 
prog (typeof (sequence* M N) T) 

({typeof M U)* ::* {typeof N T)* ::* nil*) nil* 



derivation of more than one Ci. In the specification of typing, no linear assumptions 
are introduced, so LL will be empty. In general, we will use linear formulas (Ci, 
. . . , C„) in the bodies of specification clauses; we use intuitionistic formulas 
. . . , Bn) only where we specifically wish to preclude the use of linear assumptions. 
This is only done in one clause in the encoding of the operational semantics, and 
will be discussed when it is introduced. We extend the abbreviation convention 
of Section to the constants of this section. Thus {typeof m t) abbreviates 
{XI typeof {m I) {tl)), {refty* t) abbreviates {XI refty {t I)) , etc. 

The semantics for PCF_ is more complicated than those in the previous sections. 
The constant JJ. now has type itm — * *st — * ians atm. The object logic atom 
(to, s) -IJ. / represents the evaluation of the term m in the state s yielding the final 
answer /. State is encoded using the constants nulLst: igt and extendst: iic 
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Table XVIII. Object logic encoding of natural semantics for PCF~ (part I) 



prog {(M, S) r F) 

nW {(Bs_mach_l* init* (cvai* M) S F)* ::* nil*) 

prog (ns_macii_J* K I (extend.st* CVS) F) 

{(contains* C V -o* (ns^ach.l* K I S F)*)::* nil*) nil* 
prog {ns-mach^l* K I nuJJ_st* F) 

({ns.mach.2* K I F)* ::* nil*) nil* 

prog (coJJect_state* (extend_st* C V S)) 

{(contains* C V)* ::* (coJJect.state* S)* ::* nil*) nil* 
prog {coUect^state* nuJLst*) 

niJ* nil* 



itm —>- ist — ist] nullst represents the state with no locations, and (extendst c v s) 
represents the state obtained by adding the location c containing value v to the 
state s. A value and a state are combined into an answer using the constant 
answer, itm ist ians', variables representing new locations are bound using 



new: {iic 



s) 



ns^machA 
ns_mach_2 
contains 
collect_state 



Our specification of evaluation will also use the predicates 

ms ^ atm 



^cntn 
^cntn 

He 

1st ~^ 



^ '^instr * '^st 
^ '^instr ^ ^ans 

itm atm 
atm . 



atm 



The o bject logic atom ns_mach_l k i s f corresponds to the two judgements of 
Table XV] . Continuations are constructed using init: icntn to represent the initial 
continuation and '^: {itm ~^ iinstr) — > icntn icntn to extend a continuation. 
Instructions, constructed from the constants 



eval 


'^tm ~ 


'^instr 


new-ref 


'^tm ~ 


~^ '^instr 


return 


'^tm ~ 


^instr 


lookup 


'^tm ~ 


~^ '^instr 


evaLarg 


'^tm ~ 


'^tm '^instr 


evaLrvalue 


'^tm ~ 


~^ '^tm ^ 


apply 




~^ '^tm ^ '^instr 


update 


'^tm ~ 





'^instr 
'^instr 1 

are used to indicate the current task in the evaluation of a term. The object logic 
atom ns-mach_2 fc i / is a variation of ns-mach_l k i s f which does not contain 
the state; instead the contents of each location is recorded using the object logic 
predicate denoted by the constant contains. The evaluation of terms is specified 
using this distributed representation of state; the state portion of the final answer 
is constructed again using the predicate collect_state. The specificatio ns for a ll of 
these predicates are represented by the FOX^^ definition in Tables XVIII and 

xH. 



This encoding differs slightly from the continuation semantics in Table XVI. 
The object logic judgement nit; II l> {ns-mach_2 k {return v) /)* corresponds to the 
judgement k h («', a)^(l), where k is the continuation encoded by fc, v' is the value 
encode by v, a is the state encoded by the list II of contains assumptions, and (j) is 
the answer encoded by /. However, the specification for ns-mach_2* k {return* v) f 
takes the first instruction from k and substitutes in the value v to obtain the new 
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prog 
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prog 

prog 

prog 

prog 

prog 

prog 
prog 

prog 
prog 
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Table XIX. Object logic encoding of natural semantics for PCF— (part II) 

ns_mach_2* init* (return* V) {answer* V S)) 
{coUect_state* S)* nil*) nil* 
ns_mach_2* (I y* K) (return* V) F) 
{ns.mach.2* K (Xl 1 1 (V I)) F)* ::* nil*) nil* 

ns_mach_2* K {eval* (cell* C)) F) 

(ns_mach_2* K {return* (cell* C)) F)* ::* nil*) nil* 
ns_maci_2* K (eval* (ret M)) F) 

{ns.mach_2* ((XlXv new_ref v) y* K) (eval* M) F)* ::* nil*) nil* 
ns_macii_2* K (new.ref V) (new* F)) 

Xl(/\c(contains c (V I) -o (ns_mach_2 (K I) (return (cell c)) (F I c))) :: nil*) 
nil* 

ns^ach.2* K (eval* (dereP M)) F) 

{ns.mach.2* ((XlXv lookup v) y* K) (eval* M) F)* ::* nil*) nil* 
ns_mach_2* K (lookup* (cell* C)) F) 

(contains* C V)* ::* (contains* C V —o* (ns_mach_2* K (return* V) F)*) ::* nil*) 
nil* 

ns_mach_2* K (eval* (assign* M N)) F) 

(ns.mach.2* ((XlXv evaLrvalue v (N I)) y* K) (eval* M) F)* :■* nil*) 
nil* 

ns_mach_2* K (evaLrvalue* V N) F) 

(ns.mach.2* ((XlXv update (V I) v) y* K) (eval* N) F)* ::* nil*) nil* 
ns^ach.2* K (update* (cell* C) V) F) 

(contains* C W)* ::* (contains* C V ^* (ns.macb.2* K (return* V) F)*) ::* nil*) 
nil* 

ns_mach_2* K (eval* (sequence* M N)) F) 

(ns.mach.2* ((XlXv eval (N I)) y* K) (eval* M) F)* ::* nil*) nil* 
ns_mach_2* K (eval* (app* M N)) F) 

(ns.mach.2* ((XlXv evaLarg v (N I)) y* K) (eval* M) F)* :■* nil*) nil* 
ns_maci_2* K (evaLarg* V N) F) 

(ns.mach.2* ((XlXv apply (V I) v) y* K) (eval* N) F)* :■* nil*) nil* 

ns_mach_2* K (apply* (abs* T R) V) F) 

(ns.mach.2* K (eval* (XI R I (V I))) F)* ::* nil*) nil* 

ns_mach_2* K (eval* (abs* T R)) F) 

(ns.mach.2* K (return* (abs* T R)) F)*::*nil*) nil* 
ns^ach.2* K (eval* (rec* T R)) F) 

{ns.mach.2* K (eval* (XI R I (rec (T I) (R I)))) F)* ::* nil*) nil* 



instruction. This new instruction then determines the next step in the evaluation. 
On the other hand, the rules of Table XVI examine the return value and the first 
term of the continuation to determine the next evaluation step. Other than this 
small difference, the encoding mirrors the continuation semantics very closely. 

The distributed encoding of state in Tables XVIII , and XIX makes vital use of lin- 
ear implication. Since each assumption of the form contains* c v is a linear assump- 
tion, it can only be used once. This linearity is used, for example, in the clause for 
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ns_macii_2 with the instruction {update* {cell* c) w); the desired behavior is that the 
contents of location c be replaced by the value v. This clause has two linear formulas 
in its body, {contains* c w)* and {contains* c v ^* {ns-niach_2* k {return* v) /)*). 
Each contains assumption must be used exactly once in the derivation of these two 
formulas. Since there is no clause for contains in the object logic theory, the first 
formula must be derived by the initial rule, and so will use the one assumption 
representing the contents of location c. The remainder of the state is then available 
for the other formula, which adds a new assumption about the contents of c and 
then continues the evaluation encoded in the continuation k. The linearity of the 
contains assumptions is also used in the clause for ns_mach_2 with the instruction 
{return* v) and the continuation init* . This clause represents the situation where 
the evaluation is complete and we wish to construct the final answer from the value 
V and the state encoded in the assumptions. The clause has the single linear formula 
{collect-State* s)* as its body. Thus the derivation of this formula must use all of 
the contains assumptions; this ensures that the constructed state includes all of the 



locations represented in the assumptions. Dually, the clause for JJ. in Table XVIII 
has a single intuitionistic formula {ns-mach_l* init* {eval* to) s /)* as its body. 
This clause represents the situation where we wish to evaluate the term to in the 
state s. Since the formula in the body is intuitionistic, it must be derived from an 
empty set of linear assumptions. Since there are no linear formulas in the body, this 
means that (to, s) ij.* f is only derivable from an empty set of linear assumptions, 
i.e., the state is entirely represented in s. 

We also introduce typing predicates for continuations, instructions, and answers: 

typeof^ntn ■ *c«tn ^ Hy ^tm typcof^^^ : ians Hy atm 

typeof^^^f^ : iinstr ^ Hy ^ atm . 

The object-level specification for these predicates is represented in FOX^^ by the 



definition of Table XX . A continuation has type (arr* t u) if it expects a value of 
type t in order to produce a value of type u. Instructions are typed in the same way 
as the corresponding terms. The type of an answer is the same as the type of its 
value component under some typing assumptions for any new memory locations. 
These assumptions must be consistent with the values stored in those locations; 
this consistency is expressed by the predicate welLtyped: ist atm. 

We now present the theorems we have derived in FO\^^ about this object logic 



encoding of PCF—. We will refer to the collected clauses of Tables XVII, KVIII 



XIX and XX as the definition I?(PCF— ). To simplify the presentation of our 
theorems, we introduce several FOX^^ predicates: 

store : atmlst* — > o =atmi '■ atm* atm* — > o 

store-typing : atmlst* ^ o =* : i* i* ^ o 

storc-typeof : atmlst* atmlst* — s- o . 

The store predicate indicates that a list of object logic atoms is a valid distributed 
encoding of state, that is, its elements are of the form contains* c v. The predicate 
store-typing holds if its argument is a valid list of typing assumptions for locations. 
The storc-typeof predicate holds for a store and store typing if every location in 
the store is assigned a type by the store typing that agrees with a type of the value 
stored in the location. Finally, =atmi and =itmi encode syntactic identity over 
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prog {typeof^^t„ inif (arr* T T)) 

niJ* nil* 
prog {typeoll^t^ [I y* K) (arr* T U)) 

(Xl /\v{typeo{v (Tl) ^ {typeof,„,,, (Ilv) {T'l))):: 
(typeoCtn K {arr* r U))*::* nil*) 

nil* 



prog (typeof*^^,^ (eval* M) T) 

( ( typeot* MT)*::* nil* ) nil* 
prog (typeo{*„^t^ (return* V) T) 

({typeot V T)* ::* nil*) nil* 
prog (typeof*„^t^ (evaLarg* M N) T) 

({typeot M (arr* U T))* ::* {typeot N U)* ::* nil*) nil* 
prog (typeoq^^^^ (supply* M N) T) 

({typeot M (arr* U T))* ::* {typeot N U)* ::* nil*) nil* 
prog (typeol*^^^^ (new.ret M) (refty* T)) 

( { typeot MT)*::* nil* ) nil* 
prog {t7peof*„^j^ (JooJcup* M) T) 

( { typeot M (refty* T))* ::* nil* ) nil* 
prog (typeot*^^^^ (evaLrvalue* M N) T) 

({typeot M (refty* T))* ::* {typeot N T)* ::* nil*) nil* 
prog (typeoti^^^^ (update* M N) T) 

( { typeot M (refty* T))* ::* { typeot N T)* ::* nil*) nil* 

prog (typeof^„^ (answer* V S) T) 

({typeot V T)* ::* {welLtyped* S)* ::* nil*) nil* 
prog (typeot^„^ (new* F) T) 

XI (/\ c(typeof (cell c) (refty (U I)) {typeof^^^ (F I c) (T I))) ::nil) nil* 

prog (welLtyped* nuU^t*) 

nil* nil* 
prog (welLtyped* (extend_st* C V S)) 

({typeot (cell* C) (refty* T))* ::* {typeot V T)* ::* {welLtyped* S)* ::* nil*) 

nil* 



the types atm* and i* . The definition 'D(store) for these predicates is presented in 
Table XXI. The following theorem states that we have derived the subject reduction 
and unicity of typing properties for PCF— in FOX^^ . The FOX^^ derivations 
again closely follow the informal proofs of these properties. We expect that the 
determinacy of semantics is also derivab le, but have not yet shown this. We use 



the following abbreviations from Section 5^: 'D{lists) for 

V {list* [atm)) U V{list* (prp)) U V {list** (atm)) U V{list* 



'(prp)) 



and T>{evars) for 

'D{evars{atm)) U 'D{evars{prp)) U 'D{evars{atmlst)) U 'D{evars{prplst)) 



Theorem 9.1. The following formulas are derivable in FOX from the def- 
inition that accumulates 'D{nat), 'Delists), ^{evars), 'D{linear), 2?(PCF— ), and 
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Table XXI. Meta-logic predicates for PCF— stores 



store LL 


A 


list LL A a{elcmciit a LL D 

Bc3v{a =atm* {contains* c v))} 


store.typing IL 


A 


list IL A 

Wa(element a IL ^ 

3c3t{a =atm* (typcof* (cell* c) (refty* t)))) A 
VcVtiVi2{cicmcnt (typeoP (cell* c) (refty* ti)) IL D 
element {typeof {cell* c) {refty* t2)) IL D 
tl =i* t2) 


store-typeof LL IL 


A 


\/c\/v{element {contains* cv) LL D 

Bt{element {typeof {cell* c) (refty* t)) IL A 
IL;nil* t> {typeor v t)*)) 


—atm* ^ 


A 


T 


X=i, X 


A 


T 



'D(store): 

Subject reduction: 

VmVsV/(>(((m,s)r /)*) 3 

\lts\/t{storc.typmg il D il; nir l> (welLtyped* s)* D 
il; nit > {typeof mt)* D 
il;nil* > (typeoC^ / t)*)) 

m'iKitif [store II D nir ; II > {ns.mach_2* k i f)* D 

\/il\/t\/u{stoiejtyping il D store-typeof II il D 
il;nit > {typeof^^^^ k (arr* t u))* D 
il;nit l> {typeo^i^.t^ i t)* D 
il;nir t> (tjpeoCs /")*)) 

Unicity of typing: 

VmViiVt2(l> (typeof mil)* D > {typeof mt2)* D ti =i, 

Proof. Tlic derivation of the unicity of typing is by complete induction on the 
height of the first typing derivation t>( typeof* mtx)* . Let Pi be the predicate 

XiNa{element ail D 3x3t{a =atm* {typeof (fst* x) t))) 

and P2 the predicate 

\iTix'it\it2{element [typeof x t{) il D element [typeof x t2) il D ti =i* t2) • 

These predicates encode the requirements that the list of assumptions contains only 
typing assignments for variables and assigns only one type to any one variable. Our 
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induction predicate IP is then 

Xj\/il{list il D Piil D P2 il D 

\/m\fti\/t2{seqj il nil* {typeof m,ti)* D 

il;nir [> {typeof m ^2)* 3 ^2)) 

The details of the proof are presented in McDoweU [1997| . □ 



10. RELATED WORK 

There are several approaches others have taken to reason about higher-order ab- 
stract syntax encodings directly in a formalized meta-language. Despeyroux, Felty, 



and Hirschowitz in [1994; 199£] show that induction principles for a restricted form 
of second-order abstract syntax can be derived in the Coq proof development sys- 
tem. To keep the definitions monotone, they introduce a separate type for variables 
and explicit coercions from variables to other types. For example, their constructors 
for A-terms would be 

var : vr tm abs : (vr ^ tm) tm app : tm tm tm , 

and the corresponding definition of typeof would be 

typeof^j. : vr ^ ty — > o typeof : tm ^ ty ^ o 



typeof {var X) T ^ typeof^^ X T 
typeof {abs M) {arrT U) = \/x{typeof^^ xTd typeof {Mx) U) 
typeof {app M N)T ^ 3u{typeofM { air u T) A typeof N u) . 

This is similar to our use of the two predicates hyp and cone in our encoding of 



intuitionistic logic in Section |4^. Notice that the type tm does not occur negatively 
in the type of any of its constructors, nor does the predicate typeof occur negatively 
in its definition. This allows Coq to automatically construct induction principles 
for tm and typeof Since object-level variable binding is still represented by meta- 
level A-abstraction, the object language still inherits a-equivalence from the meta- 
language. Because the abstraction is over the type vr, however, meta-level /3- 
reduction cannot be used for substitution.]^ These approaches also lessen the power 
of the meta-level cut rule as a reasoning tool. Suppose that \fx{typeof^j. x T D 
typeof {M x) U) and typeof N T are derivable. In contrast to our encoding, it is 
not immediate that substituting TV for (vara;) in {M x) yields a term M' such that 
typeof M' U is derivable. Thus of the three key benefits to higher-order abstract 
syntax, they only retain a-conversion. In addition, the Coq type {vr — > tm) includes 
functions besides those expressible as A-terms, so the type tm includes expressions 
that do not encode terms of the object language. They avoid these exotic terms 



^Here we are comparing the object system encodings. It is true that our explicit eigenvariable 
encoding style requires an explicit definition of substitution for the specification logic. So at the 
specification logic level of our framework, we too lose some of the benefits of higher-order abstract 
syntax. However, at the level of the object system, we use a true higher-order abstract syntax 
encoding with all of its benefits. Since we expect there to be only a few specification logics, but 
many object systems, it seems worth putting the extra effort into the specification logic to reap 
the benefit for the object systems. 
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through the definition and use of a vaHdation predicate. The term language of 
FOX^^ , unhke that of Coq, does not include primitive recursion, so these exotic 
terms do not arise in our framework. 



Despeyroux, Pfenning, and Schiirmann [ 1997 1 address the problem of exotic terms 



by using a modal operator to distinguish the types of parametric functions (express- 
ible as A-terms) from the types of arbitrary functions. As a result, their calculus 
allows primitive recursive functionals while preserving the adequacy of higher-order 
abstract syntax encodings. This represents a start toward a logical framework sup- 
porting meta-theoretic reasoning, higher-order abstract syntax, and the judgments- 
as-types principle. In such a framework a derivation would be represented as a 
function whose type is the derived property. Thus the — » type constructor must 
be rich enough to include the mappings from derivations to derivations such as the 
realizations of case analysis and induction. Their work is orthogonal to our work 
presented in this paper. We are not attempting to support the judgments-as-types 
principle, so the types of our meta-logic are only used to encode syntactic structure. 
Thus we can restrict these types to include only A-terms, ensuring the adequacy of 
encodings in higher-order abstract syntax. They, on the other hand, do not address 
the issue of induction principles for higher-order abstract syntax, or more generally, 
the issue of formal reasoning about higher-order abstract syntax encodings. 



Schiirmann and Pfenning [1998| construct a meta-logic A^2 to reason about de- 
ductive systems represented in LF. Their approach is similar in spirit to ours in 
that there are three levels: the deductive system(s) under consideration, the logic 
in which the deductive systems are encoded, and the logic in which meta-theoretic 
analysis takes place. The meta-logic A^2 includes a case-analysis rule comparable 
to our defC rule and a recursion rule that generalizes our natC rule. Their inter- 
mediate logic, LF, includes dependent types, and so is richer than the intermediate 
logics we consider. On the other hand, our meta-logic is a general framework capa- 
ble of supporting a variety of intermediate logics (such as intuitutionistic and linear 
logics), whereas M2 is designed for the specific, fixed intermediate logic LF. 

Still another strategy for meta-theoretic reasoning about higher-order abstract 
syntax encodings is to perform each case of a proof in the meta-logic, but verify the 
comp l etenes s of the proof outside the logical framework. Rohwedder and Pfenning 



1 1992; 1996| investigate the design and implementation of such external validity 



conditions. 

Matthews seeks to reconcile the advantages of LF-style encodings with the facili- 



ties for meta-theoretic analysis found in theories of inductive definitions [ Matthews 



1997 ]. His approach has some similarity to our own, in that he creates a three- level 
hierarchy, with each level being encoded in the previous. As in our approach, his 
top level contains a definition facility and induction principles for reasoning about 
encodings at the next level. However, his logic at the intermediate level contains 
only an implication connective and no quantifiers. Thus he does not address the 
treatment of object-level bound variables, a major feature of higher-order abstract 
syntax and, consequently, of our work. 

11. CONCLUSION 

In this paper we have presented a single and simply motivated meta-logic FOX^^ . 
We used this meta-logic as the basis of a framework for formal reasoning about 
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systems expressed in higher-order abstract syntax, avoiding the apparent tradeoff 
between the benefits of this representation technique and the abihty to perform 
meta-theoretic analyses of encodings. We demonstrated this framework on encod- 
ings of three programming languages encompassing both functional and imperative 
paradigms. A number of significant theorems about these languages were derived 
in this framework, including unicity of typing and subject reduction. The flexibil- 
ity of the framework was also shown through the use of intuitionistic and linear 
specification logics. 

The meta-logic FOX"^^ has also been used to reason about simulation and bisim- 



ulation in abstract transition systems and CCS | McDowell et al. ]. These transition 
systems did not contain binding operators, and so both the specification and rea- 
soning was done in the meta-logic. We have already begun using the techniques 
presented in the current paper to extend that work to the setting of applicative 



bisimulation |Abramsky 1990 1. It would also be interesting to use Howe's technique 



[Howe 1996 1 to prove the congruence of bisimulation in our framework. 



Additional work in analysis of programming languages along the lines of Part III 
could also be done. Time precluded us from proving the determinacy of evalua- 
tion for PCF_, for example, and a transition semantics for the language could be 
constructed and shown to be equivalent to the natural semantics we constructed. 
It would also be interesting to formalize other analyses; Hannan and Miller [1992| ], 



for example, construct abstract machines from operational semantics by applying 
a series of transformations and argue informally that the transformations preserve 
correctness. Richer languages could also be considered, including features such as 
concurrency, exceptions, and polymorphism. Linear logic has been used to specify 



such features in a manner that is suitable for use in our setting |Chirimar 1995 



Miller 1996] 



The formal derivations described in this paper have been checked using the Pi 



derivation editor of Lars-Henrik Eriksson [Eriksson 1994]; see McDowell [1997| for 
a discussion of the effectiveness of this editor for constructing FOX^^ proofs. An 
important next step in this line of work is to implement a theorem prover that 
provides semi-automated assistance in proving FOX^^ theorems. Miller and Wajs 



are building a prototype theorem prover named Iris jWajs 2000 1 within AProlog 



Finally, alternatives to the explicit eigenvariable encoding of Section 4.4 could 
be explored. Although this encoding supports the higher-order abstract syntax 
representation of bound variables and allows substantial meta-theoretic analysis, it 
does have some drawbacks. The pervasive presence of the evs parameter represent- 
ing the free variable list is somewhat cumbersome, and numerous lemmas must be 
proved to show that various properties are preserved by extensions of this list or 
substitution for free variables. The obvious alternative, a de Bruin-style encoding 
of free variables, would require a similar amount of work and would not support the 
higher-order abstract syntax representation for bound variables. It is important to 
point out that this issue relates to the encoding of the specification logic, not the 
object systems, of our framework. Thus these lemmas need to be proved only once 
for any specification logic, not for every object system, and so the representational 
advantage of higher-order abstract syntax for the object systems is preserved. 
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